By Roy Urrico
About U.S. 60 credit unions reportedly experienced outages due to ransomware attack on a cloud IT provider. The NCUA said in a statement to The Record, a cybersecurity news publication that broke the story, that it was “coordinating with affected credit unions” in the aftermath of the incident.
The full extent of the outage and its impact on credit unions is still unclear. Reportedly, NCUA spokesperson Joseph Adamoli said the ransomware attack targeted cloud solutions provider Ongoing Operations, a company owned by credit union technology firm Trellance.
Adamoli also said the NCUA received incident reports indicating that several credit unions were sent a message from Ongoing Operations that as a result of a ransomware attack on the tech firm on Nov. 26, approximately 60 credit unions experienced some level of outage.
“The NCUA is coordinating with affected credit unions. Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000,” Adamoli said. The NCUA informed the U.S. Department of the Treasury, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) about the incident.
One of the supposedly affected credit unions, $53 million Peru, N.Y.-based Mountain Valley Federal Credit Union, told Jonathan Greig at The Record that technicians from the hacked IT provider were “working around the clock to get our systems” back online.
The Record also reported the attack “is having larger downstream effects on other credit union technology providers,” but so far only Ongoing Operations has issued a statement.
Ongoing Operations Issues Statement
In a statement dated Dec. 2, 2023, Ongoing Operations, stated it recently experienced an isolated cybersecurity incident. “Once we identified the incident, we immediately began working with our IT staff and engaged third-party forensic specialists to investigate the nature and scope of the incident. This incident is isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on our systems. We will notify impacted individuals once we confirm the scope of the incident.”
The Ongoing Operations statement added, “The investigation to determine what impact this incident may have had on information stored on our network systems is ongoing. We are committed to data privacy and security, and we take this matter very seriously. We have engaged leading experts to recommend and implement additional measures designed to increase our data security and block further unauthorized access to our systems moving forward.”
The statement contained a chronology of the event and the aftermath:
· On Nov. 26, 2023 Ongoing Operations experienced an isolated cybersecurity incident.
· “Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event.”
· “We notified federal law enforcement. At this time, our investigation is currently ongoing, and we will continue to provide updates as necessary.”
· “Please know that currently, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.”
· “As part of our response to this incident, we are reviewing the impacted data to determine exactly what information was impacted and to whom that information belonged.”
· “This incident is isolated to a segment of the Ongoing Operations network and our team is diligently working around the clock to minimize service interruptions wherever possible and to ensure the safety of information stored on the Ongoing Operations systems.”
· “We have notified all impacted customers and any who have not received a notice were not affected by this incident.”
The firm added, “Ongoing Operations takes this incident seriously and regrets any concern it may cause your organization. We are committed to working with you in response to this incident. We have set up a dedicated email address for inquiries related to this incident: firstname.lastname@example.org.”
An Increase in Attacks
The NCUA warned in August that it was seeing an increase in cyberattacks against credit unions, credit union service organizations (CUSOs), and other third-party vendors providing financial services products and services.
In February 2023, the NCUA approved new rules that require a federally insured credit union to notify the NCUA within 72 hours of a cyberattack. The rule began Sept. 1. In testimony before the House Financial Services Committee NCUA Chairman Todd M. Harper in Nov. 2023 said, “In the first 30 days after the rule became effective, the NCUA received 146 incident reports, more than it had received in total in the previous year. More than 60% of these incident reports involve third-party service providers and CUSOs.”
Earlier this year Cybersecurity and Infrastructure Security Agency (CISA), the FBI, National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published the #StopRansomware Guide.
In the guide, Rob Joyce, NSA director of cybersecurity, said, “Ransomware tactics have become more destructive and impactful. Malicious cyberactors are not only encrypting files and asking for ransom, they are also exfiltrating data and threatening victims to release it as a form of extortion. Most importantly, the speed of compromise and impact have increased dramatically, requiring even more effort on the part of defenders. These attacks will only continue evolving into more frequent and more sophisticated ransomware attacks. We need to effectively counter this growing threat.”