Texas Dow Employees Credit Union (TDECU) has alerted the Maine Attorney General's Office that it is notifying more than 500,000 members about a significant data breach. The breach, detailed in the notification, occurred due to a hack on the MOVEit file transfer software more than a year ago—on May 29, 2023—which was only discovered on July 30th.
The incident involved the theft of files containing sensitive personal information, including names, dates of birth, Social Security numbers, bank account numbers, credit card numbers, driver license numbers, other ID numbers, and taxpayer identification numbers. TDECU is taking steps to address the breach and protect its members, including offering credit monitoring services.
"The MOVEit managed file transfer software vulnerability (CVE-2023-34362) continues to be discussed in the news due to widespread exploitation and the depth of exploitation," said Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit. "Groups including the infamous Cl0p ransomware group quickly took advantage of this Zero-Day opportunity to exploit targets of interest for high payouts. In the case of ransomware, involving double extortion tactics, techniques, and procedures (TTPs), it is common for a wealth of data to be stolen to force payout. Ransomware continues to be one of the most common and also highest impact threats facing every organization in 2024."
The breach highlights the growing risks associated with third-party software vulnerabilities, as MOVEit has been at the center of several high-profile breaches this year. TDECU's prompt notification to affected members and regulatory bodies underscores the importance of transparency and swift action in the aftermath of such incidents.
"The sheer scope of the MOVEit breach is concerning, but what's even more alarming is that the breach at TDECU went undetected for more than a year," said Darren Guccione, CEO and Co-Founder at Keeper Security. "This significant delay not only underscores the need for continuous monitoring and robust cybersecurity practices but also has severe implications for victims. The extended exposure of sensitive personal information—while victims remained unaware—significantly raises the risk of identity theft and financial fraud."
TDECU is advising members to stay vigilant for potential signs of identity theft and to take advantage of the credit monitoring services being offered. The credit union is working closely with cybersecurity experts to strengthen its defenses and prevent future breaches. As the investigation continues, TDECU said it remains committed to protecting its members' data and maintaining trust through comprehensive security measures.
"While we may tire from hearing about MOVEit updates in the news, it is critical to apply lessons learned to each organization—what can an organization do to proactively move to the 'left of boom' to avoid exploitation, rapidly identify and remediate threats if an incident occurs, and best manage a disaster should one occur?," Dunham said. "Readiness is more than planning on paper; it requires regular testing, demonstrating TTPs and defensive measures, testing for operational excellence and gaps. It also requires running drills—blackbox, graybox, and whitebox—to continually prepare and adjust to dynamic global threatscape risks to an organization."
"The TDECU notification is yet another reminder of the far-reaching impact of the MOVEit breach. We're likely to see these ripple effects continue for months, if not years," said Adam Gavish, Co-Founder and CEO at DoControl. "This long tail has two critical aspects we need to consider. First, there's the ongoing vulnerability. Despite widespread awareness, we're still seeing organizations slowly patching their MOVEit deployments. This creates a persistent risk, as attackers continue to probe for unpatched systems. Security teams need to prioritize identifying and patching any remaining vulnerable MOVEit instances immediately. Second, and perhaps more concerning, is the potential for delayed data leaks. Many organizations may not even realize their MOVEit deployment was compromised. This stolen data could surface on Dark Web forums or be used in targeted attacks months or even years down the line. It's a ticking time bomb of potential breaches."