MOVEit Fallout: More Than 500,000 Texas Credit Union Members' Data Impacted

A Texas credit union has discovered the personal information of more than 500,400 of its members was stolen in a MOVEit Transfer data breach in May of 2023.

The Texas Dow Employees Credit Union (TDECU) disclosed the data breach in a notification on its website. It also reported to the Maine Attorney General’s Office that the breach impacted 500,474 credit union members.

“TDECU was notified by a third-party vendor used by TDECU to transfer data, MOVEit, that they were compromised by a bad actor on or around May 31, 2023 in an attack that affected thousands of organizations, government entities, private businesses, financial institutions and more around the world, with over 20 million individuals impacted,” the credit union said on its website. “Certain TDECU data may have been viewed or taken by the bad actor as part of this attack. There was no compromise of TDECU’s broader network security.”

Following its investigation, the credit union discovered on July 30 that certain files containing members' personal information were potentially removed from MOVEit by the bad actor between May 29-31 of 2023. The impacted data includes full names, dates of birth, Social Security numbers, bank/financial account numbers, credit/debit card numbers, drivers’ licenses/government IDs and taxpayer identification numbers.

Related:Victims of MOVEit Transfer Attacks Continue Piling Up

“To date, TDECU is not aware of any incidents of identity fraud or financial fraud as a result of the incident,” the credit union said.

We began reporting on MOVEit Transfer attack victims in summer of 2023. According to research firm KonBriefing, over 2,600 organizations have disclosed MOVEit Transfer attacks as of December 2023.

Scope of Credit Union Data Breach ‘Concerning’

Darren Guccione, Keeper Security’s CEO and co-founder, said the sheer scope of the MOVEit breach is concerning, but what’s even more alarming is that the TDECU breach went undetected for more than a year.

“This significant delay not only underscores the need for continuous monitoring and robust cybersecurity practices, but also has severe implications for victims,” he said. “The extended exposure of sensitive personal information – while victims remained unaware – significantly raises the risk of identity theft and financial fraud. The fact that TDECU’s breach remained undetected for so long highlights the critical importance of rigorous and continuous patch management. Multiple patches were released following the MOVEit breach, and with any breach of this scope, it is imperative that they be applied promptly. However, applying patches is just one part of the solution – systems must also be continuously monitored for any signs of unusual activity.”

Related:MOVEit Data Breach Attacks Prompt Class-Action Lawsuit Against Progress Software

The MOVEit breach must remain top of mind for all security teams in the near future and should serve as a “stark reminder” of the importance of cybersecurity investment and prioritization, Guccione said

“The extensive impact and the prolonged detection issues at TDECU highlight the need for ongoing attention to known vulnerabilities,” he said. “Securing data transfers, particularly with third-party vendors, is vital, but so are strong internal security measures.”

Far-Reaching Impact of MOVEit Breach

Adam Gavish, DoControl’s CEO and co-founder, said the TDECU notification is yet another reminder of the far-reaching impact of the MOVEit breach.

DoControl's Adam Gavish

“We're likely to see these ripple effects continue for months, if not years,” he said. “This long tail has two critical aspects we need to consider. First, there's the ongoing vulnerability. Despite widespread awareness, we're still seeing organizations slowly patching their MOVEit deployments. This creates a persistent risk, as attackers continue to probe for unpatched systems. Security teams need to prioritize identifying and patching any remaining vulnerable MOVEit instances immediately. Second, and perhaps more concerning, is the potential for delayed data leaks. Many organizations may not even realize their MOVEit deployment was compromised. This stolen data could surface on dark web forums or be used in targeted attacks months or even years down the line. It's a ticking time bomb of potential breaches.”

Companies need to conduct thorough audits of what data they've been transferring through MOVEit or similar file transfer services, Gavish said.

"Understanding what sensitive information might have been exposed is crucial for risk assessment and mitigation,” he said.