A MoveIt data breach went undetected for over a year at this credit union

On Monday, Texas Dow Employees Credit Union, or TDECU, publicly acknowledged that it suffered a data breach affecting just over 500,000 people, adding to the list of the more than 60 banks and credit unions that fell victim to a vulnerability in Progress Software's file transfer system MoveIt.

The acknowledgement was unusual given its timing. Ransomware gang Cl0p began exploiting a vulnerability in MoveIt on May 27, 2023, and Progress Software notified customers and issued a patch four days later. While many institutional victims discovered they were affected by a MoveIt breach within a month, TDECU says it did not learn about the breach until July 30 of this year.

"Upon being informed of the vulnerability, TDECU immediately took actions" to assess and mitigate the damage, according to a letter the credit union sent to victims, "Following our investigation, we discovered on July 30, 2024, that certain files containing personal information of TDECU members were potentially removed from MoveIt by the bad actor between May 29-31, 2023."

According to the credit union's public statement, impacted data includes full names in combination with date of birth, Social Security number, bank or financial account number, credit and debit card number, driver's license or government ID and Taxpayer Identification Number.

Institutions that fall prey to a data breach can take months and even years to discover they were affected. In one of the largest MoveIt data breaches, Flagstar Bank notified customers only in October (four months after Progress Software reached out to customers) that they were affected by a breach.

Flagstar's case was unusual because the bank did not use MoveIt software at the time. Rather, cybercriminals stole Flagstar customer data from fintech and payments company Fiserv, which was the MoveIt user in that case.

By contrast, TDECU used MoveIt software directly, according to the letter to victims, so it would have been positioned to receive communications from Progress Software about the MoveIt vulnerability.

Also, the breach affecting TDECU members was massive relative to the size of the institution it affected. On its website, the credit union says it has 387,000 members; compare that to the 500,474 people affected by the breach, according to the credit union's disclosure to Maine's attorney general.

Despite these factors, it took 14 months for the institution to discover the data breach had occurred.

TDECU did not respond to a request for comment.

Often when cybercriminals steal data, they will notify the victim organization directly about it, as a way of extorting money in the form of cryptocurrency. This is the modus operandi of Cl0p, a group that typically operates ransomware but in this case exploited the MoveIt vulnerability to merely steal (rather than also encrypt) data.

In this case, things happened slightly differently. Rather than reach out to victims directly, Cl0p made hundreds of separate posts to its victim-shaming site, one for each institutional victim it claimed. For each victim, the gang said it would not post the data it stole, as long as that institution reached out and negotiated an extortion payment.

Cl0p appears to have taken this route as a matter of convenience. The gang stole so much data from so many institutions at the same time — by one estimate, 2,773 organizations and 95.7 million individuals — that it didn't bother to reach out to victims individually.