Massive federal credit union data breach exposes 240,000 members

SRP Federal Credit Union, a financial institution based in South Carolina, had a major data breach affecting more than 240,000 people.

The credit union handles highly sensitive information of hundreds of thousands of Americans, which is now in the hands of cybercriminals.

SRP revealed in a release that the data breach was part of a two-month attack by hackers, raising concerns about how it took the company so long to detect unauthorized access to its systems. I discuss the details of the data breach, its impact on people, and what you should do to stay safe.

What you need to know

SRP Federal Credit Union has reported a data breach that exposed the personal information of more than 240,000 individuals, according to documents filed Friday with regulators in Maine and Texas.

The company said it detected suspicious activity on its network and notified law enforcement. An investigation determined that hackers accessed the credit union’s systems between Sept. 5 and Nov. 4, potentially obtaining sensitive files. The investigation was completed on November 22, the company said.

SRP did not specify the exact details exposed in its notification to Maine regulators, saying only that names and government-issued identification were affected in the cyber attack.

However, in a filing with Texas regulators, the company said names, Social Security numbers, driver’s license numbers, dates of birth and financial information, including account numbers and credit or debit card numbers, were compromised. SRP said the breach did not affect its online banking or core processing systems.

Who is responsible for the violation?

SRP has not announced who is behind the attack or the attackers’ motives. However, the Nitrogen ransomware group claimed responsibility last week, claiming to have stolen 650GB of customer data, according to The Record. Ransomware attacks use malicious software to block access to the victim’s files, systems or networks and demand payment to restore access.

The credit union may face legal challenges following the data breach, as the Oklahoma City-based Murphy Law Firm is investigating claims on behalf of individuals whose personal information was exposed. The firm is also encouraging affected individuals to join a potential class action lawsuit.

SRP will provide affected individuals with free identity theft protection services, so take advantage of it to protect your information.

We reached out to SRP for comment but did not hear back by our deadline.

7 ways you can protect yourself from an SRP data breach

If you have received a notice from SRP Federal Credit Union regarding a data breach, consider taking the following steps to protect yourself.

1. Monitor your accounts: Regularly check your bank accounts, credit card statements and other financial accounts for any unauthorized transactions or suspicious activity. Contact one of the three major credit bureaus (Equifax, Experian or TransUnion) to place a fraud alert on your credit report, making it harder for identity thieves to open accounts in your name.

2. Build your credit: Consider freezing your credit to prevent new accounts from being opened without your consent. This service is free and can be removed at any time.

3. Use identity theft protection services: Consider signing up for identity theft protection services that monitor your personal information and alert you to potential threats. These services can help you detect and respond to identity theft faster. Some identity theft protection services also offer identity theft insurance and recovery assistance, providing additional peace of mind. See my tips and top picks on how to protect yourself from identity theft.

4. Change your passwords: Update passwords for your online accounts, especially those related to banking and email. Use strong, unique passwords and consider using a password manager to generate and store complex passwords. Also, enable two-factor authentication for added security.

5. Beware of phishing scams: Be wary of emails, texts or phone calls claiming to be from SRP or similar organizations. Avoid clicking on links or providing personal information unless you verify the sender.

The best way to protect yourself from malicious links is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best antivirus protection 2024 winners for your Windows, Mac, Android, and iOS devices.

6. Keep your device’s operating system up to date: Ensure that your mobile and other devices automatically receive timely operating system updates. These updates often include important security patches that protect against new vulnerabilities exploited by hackers. For reference, see my guide on how to keep all your devices up to date.

7. Invest in personal data removal services: Consider services that scrub your personal information from public databases. This reduces the chances of your data being used in phishing or other cyber attacks after a breach. Check out my top picks for data removal services here.