North Haven, Connecticut-based Connex Credit Union disclosed a data breach last week involving roughly 172,000 people’s personal information.
Names, account numbers, debit card information, Social Security numbers and government identification customers used to open accounts are among the data elements potentially exposed, the credit union told the Maine attorney general’s office Aug. 7.
However, “Connex has no reason to believe the incident involved unauthorized access to member accounts or funds,” the credit union said in its notice – and repeated in a letter to customers included in the disclosure.
Connex launched an investigation after experiencing “unusual activity in its cyber environment” June 3, the credit union said. The probe showed certain files may have been accessed or downloaded without authorization June 2 and 3. The credit union by July 27 identified people whose information may have been affected in the incident, according to the disclosure.
The credit union also published a banner at the top of its website, alerting customers to “be aware that scammers are calling/texting members impersonating Connex employees.”
“Connex will never call you and ask for PINs, passcodes or account numbers,” the alert reads.
The credit union established a toll-free call center to answer questions and address customer concerns about the incident. Connex also is offering customers a year of complimentary credit and identity protection services through TransUnion unit CyberScout.
“We also notified the National Credit Union Administration and federal law enforcement and will provide whatever cooperation may be necessary to hold the perpetrators accountable,” Connex said in its letter to customers.
The credit union is hardly the first financial institution – even this past year – to suffer a breach. Phoenix, Arizona-based Western Alliance disclosed a cyber incident in March that potentially exposed 22,000 customers’ information. The intrusion, through a vulnerability in a third-party vendor’s file transfer software, went undetected for more than three months, according to a timeline the bank provided to the Maine attorney general’s office.
Cyber incidents have targeted regulators, too. Attackers gained access to the emails of Office of the Comptroller of the Currency employees, containing “highly sensitive information relating to the financial condition” of certain institutions. The incident, disclosed in April, spurred several big banks, including JPMorgan Chase, Bank of America and BNY, to pause sharing information electronically with the agency, according to sources familiar with the matter.
Connex isn’t alone among credit unions in experiencing a breach. Lake Jackson, Texas-based TDECU disclosed last August that it was one of several dozen financial institutions affected by a MoveIt cybersecurity incident, though it didn’t learn so until more than a year afterward.
Perhaps the most infamous breach of a bank in the past decade was a July 2019 hack of Capital One by a former Amazon Web Services employee. The breach exposed the personal data of 106 million people.
Capital One paid an $80 million penalty to the OCC and another $190 million to settle a class-action lawsuit. The Federal Reserve terminated a breach-related enforcement action against the bank in 2023, about 10 months after the OCC ended a separate order.
The ex-AWS employee, Paige Thompson, was convicted in 2022 of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer after a misconfigured firewall allowed her to access the data.
