Around 60 US credit unions have reported outages after a ransomware attack against a third-party IT provider serving the sector.
Sector regulator the National Credit Union Administration (NCUA) said it was working with affected credit unions to tackle the problem.
The attack, on 26 November, targeted Ongoing Operations, part of Florida-based Trellance, a cloud computing firm provider used by credit unions. As of 4 December, Credit Union Times reported that many of the affected credit unions remain “non-operational”.
Ongoing Operations told Recorded Future News: “Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event. We also notified federal law enforcement.
“Our investigation is ongoing, and we will continue to provide updates as necessary. Please know that at this time, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.”
Credit union sector bodies have stressed that members’ money is safe. “Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000,“ said NCUA.
Among those afffected is $52.5m Mountain Valley Federal CU in Peru, New York, which saw its systems knocked down for several days.
On 6 December, CEO Maggie Pope said on the credit union’s Facebook page: “We are on our way to bringing our systems back up today. Due to the enormous amount of work that we need to input – we will only operate via our Drive Thru at all branches.
“You are still able to conduct transactions as you have been. Online banking will also be up as soon as possible. We appreciate your continued patience and ask that you bear with us a little longer please. We will also have limited phone services as we work diligently to get our work done!“
The threat of ransomware attacks – which sees cyberattackers target businesses’ online systems to extort money – has long been a concern for the credit union sector. On 1 September, a new NCUA rule took effect requiring all federally insured credit unions to notify the regulator of suspected cyber incidents within 72 hours.
Related: Future-proofing co-ops: Sector leaders look at cybercrime and crisis communications