Patelco Credit Union acknowledges personal information exposed in June ransomware attack

Nearly two months after a ransomware attack halted Patelco Credit Union banking services, the company on Tuesday acknowledged for the first time that customers' and employees' personal information was exposed in the security breach.

The Dublin-based credit union has 37 branches in the Bay Area and the Sacramento area serving 455,000 customers.

In an email sent to customers Tuesday evening and on its website , Patelco CEO Erin Mendez said the June 29 ransomware attack involved access to databases of current and former customers and employees. The information included first and last name, Social Security number, driver license number, date of birth, and/or email address.

Mendez said after working with law enforcement and a third-party cybersecurity firm, the investigation revealed that hackers gained access to its network on May 23, which led to access to the databases on June 29.

"Following the investigation and a thorough review of the data involved, we confirmed on August 14, 2024, that the accessed databases contained your personal information," the email to Patelco members said. "Although the investigation identified unauthorized access to some of our databases, the specific data that was accessed has not been determined. Accordingly, we are notifying individuals whose information was in those databases."

It was not clear why Patelco notified the persons affected nearly one week after confirming the data breach. When asked by CBS News Bay Area, Patelco spokesperson Rina Johnson said, "Responding to these types of incidents takes a great deal of time, due diligence, and careful coordination. We responded to this development as quickly as we were able to."

Patelco said it offered customers whose information was exposed a complimentary two-year membership to a credit monitoring and identity protection service. Customers were also urged to place a fraud alert and security freeze on their credit files, request a free credit report, and closely monitor their account statements and credit reports for any irregular activity over the next 12 to 24 months.

Most Patelco banking services were re-established over two weeks following the ransomware attack . Ransomware is a type of malware that prevents access to a computer system or network, accompanied by a demand for payment to regain access. Victims who pay the ransom have no guarantees the encrypted files will be unlocked, and the attacks often result in costly disruptions to operations and loss of critical data.

Patelco has not disclosed whether any ransom was paid to regain access to the affected data. The source of the cyberattack was also not disclosed.

The credit union is facing at least two class-action lawsuits filed by two Patelco customers , who allege Patelco has not safeguarded customers' personal information such as account numbers, Social Security numbers, and addresses from the data breach.

The company has not provided a statement in response to the lawsuit.

Patelco is the 27th largest credit union in the country with $9.8 billion in assets, according to data from the Federal Reserve. The non-profit credit union is one of the oldest credit unions in the U.S., begun in 1936 for employees of the former Pacific Telephone and Telegraph Company, now known as AT&T.