A serious data breach has compromised the social security numbers of credit union members.
A significant data breach at SRP Federal Credit Union, located in South Carolina, has potentially jeopardized the personal information of over 240,000 individuals, exposing them to risks of identity theft and financial fraud. Between September 5 and November 4, 2024, cybercriminals infiltrated the institution’s systems and accessed critical personal data, which includes Social Security numbers, driver’s license details, dates of birth, and financial account information.
The ransomware group identified as Nitrogen has claimed responsibility for this infringement, asserting that they extracted around 650 GB of sensitive customer data from the credit union. Although SRP Federal Credit Union has assured that their core processing and online banking systems remain unaffected, the volume and sensitivity of the exposed data have raised serious concerns among cybersecurity experts and those affected, as reported by The Record.
The ten-week timeframe during which hackers maintained unauthorized system access suggests serious deficiencies in SRP’s security monitoring and incident response capabilities. Such an extended breach heightens the potential for data exploitation, allowing attackers ample opportunity to misuse or sell the stolen information.
In terms of tactics, this breach reflects potential techniques outlined in the MITRE ATT&CK framework, particularly in the areas of initial access through phishing or exploiting vulnerabilities, persistence by establishing backdoors, and possible privilege escalation to access sensitive account information. The persistence of the attackers indicates a well-planned operation that may have circumvented existing security measures.
As the fallout continues, members of SRP Federal Credit Union are advised to take immediate protective measures. Regular financial account monitoring is crucial in identifying unauthorized transactions swiftly. Those affected should also consider placing a credit freeze with the major credit bureaus—Equifax, Experian, and TransUnion—to thwart new credit applications made in their name.
Furthermore, setting up fraud alerts can prompt creditors to enhance their verification processes before issuing new credit. Changing passwords across financial and sensitive accounts is advisable, emphasizing the need for unique and strong passwords, possibly supported by a password manager. Enabling two-factor authentication on all accounts that offer it can substantially improve defense against unauthorized access.
In response to the breach, SRP Federal Credit Union has initiated standard incident response protocols, which include launching a forensic investigation to assess the breach’s scope and notifying involved law enforcement agencies. On December 12, the credit union began notifying the 240,742 affected individuals, providing them with essential information, including instructions to enroll in a year-long complimentary subscription to Experian’s credit monitoring services—a typical industry measure after significant data breaches.
The legal implications of this breach are also emerging. Oklahoma City-based Murphy Law Firm is investigating potential claims on behalf of those whose personal information was compromised and is encouraging impacted individuals to consider joining a potential class-action lawsuit.
SRP Federal Credit Union has yet to provide further comments regarding this incident. Updates will be issued as additional information becomes available.
