60 credit unions facing outages due to ransomware attack on popular tech provider

About 60 credit unions are dealing with outages due to a ransomware attack on a widely used technology provider.

National Credit Union Administration (NCUA) spokesperson Joseph Adamoli said the ransomware attack targeted the cloud services provider Ongoing Operations, a company owned by credit union technology firm Trellance.

Adamoli said the NCUA, which regulates credit unions at the federal level, received incident reports indicating that several credit unions were sent a message from Ongoing Operations saying the company was hit with ransomware on November 26.

“Upon discovery, we took immediate action to address and investigate the incident, which included engaging third-party specialists to assist with determining the nature and scope of the event. We also notified federal law enforcement,” Ongoing Operations told affected credit unions.

“At this time, our investigation is currently ongoing, and we will continue to provide updates as necessary. Please know that at this time, we have no evidence of any misuse of information, and we are providing notice in an abundance of caution to ensure awareness of this event.”

Adamoli confirmed that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider.

“The NCUA is coordinating with affected credit unions. Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000,” he said.

He added that they have informed the U.S. Department of the Treasury, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency about the incident. Trellance did not respond to requests for comment.

The attack is having larger downstream effects on other credit union technology providers, including FedComp, a company that offers data processing solutions to credit unions.

FedComp did not respond to requests for comment but a notice on its website says “the FedComp Data Center is experiencing technical difficulties and is under a country wide outage.”

“We are down with no ETA, but Trellance is still working on resolving the issue. There is no email support, but the Tech line is available,” the statement said.

One of the affected credit unions, Mountain Valley Federal Credit Union (MVFCU), released a notice on Thursday warning customers that it was dealing with significant outages.

The Peru, New York-based credit union serves thousands of people across Clinton or Essex County. It said its data processor — FedComp — informed them of the ransomware attack on Trellance.

“Trellance has indicated that our member information has not been affected by this incident,” CEO Maggie Pope wrote in a letter to members.

“Because of this, Trellance must move to a new server system. This process does take time as there are multiple steps involved. This is not just an MVFCU issue, it is nationwide. Trellance and FedComp have been working around the clock to get our systems along with other credit unions around the country that have experienced the same issue back online.”

Mountain Valley said it plans to cover any and all fees associated with the incident.

An increase in attacks

The NCUA warned in August that it was seeing an increase in cyberattacks against credit unions, credit union service organizations (CUSO), and other third-party vendors supplying financial services products.

Multiple credit unions were affected by the cyberattack on the MOVEit file transfer software earlier this year and dozens of organizations have filed data breach reports with regulators in Maine over the last three years.

The RansomHouse extortion group added Jefferson Credit Union to its list of victims in 2022 and Envision Credit Union announced a cyberattack last year involving the LockBit ransomware group. Ardent Credit Union also faced an incident in 2020.

In February, the NCUA approved new rules that require a federally insured credit union to notify the NCUA within 72 hours of a cyberattack. The rule came into effect on September 1.

NCUA Chairman Todd Harper said in October that in the first 30 days after the rule went into effect, the NCUA received 146 incident reports — a number the organization previously only saw in an entire year.

He lauded the proactive efforts that credit unions are taking to reach out to government agencies for cybersecurity help but noted that his organization’s ability to analyze the “entire credit union system remains limited.”

“That’s because CUSOs and credit union third-party service providers do not have the same level of oversight as bank vendors, as the NCUA lacks the statutory authority to directly examine or supervise these entities,” he said.

“Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding, and impact all of us.”

He added that more than 60 percent of the cyber incidents reported to the NCUA involve third-party service providers and CUSOs.

“Until this growing regulatory blind spot is closed, thousands of federally insured credit unions, tens of millions of consumers who use credit unions, and trillions in assets are exposed to high levels of risk,” he said.