Ransomware Incident Affects Scores of Credit Unions

Roughly 60 credit unions are reportedly experiencing system disruptions in the wake of a recent cyber incident, the National Credit Union Administration (NCUA) told The Record. The attack struck a commonly used third-party provider in late November, making it one of the latest cyber incidents disrupting critical infrastructure.

Ongoing Operations — a credit union-focused cloud and business continuity solutions company owned by Trellance — suffered an “isolated cyber security incident” Nov. 26, it said in a notice.

Several credit unions submitting incident reports to the NCUA specified that the company told them it was ransomware, per The Record.

Ongoing Operations declined to answer GovTech questions about the nature of the incident or about service restorations.

One of the impacted credit unions is Mountain Valley Federal Credit Union. MVFCU CEO Maggie Pope and the board of directors said in a Dec. 4 update that the credit union’s data processing system “remains non-operational,” but that customers are still able to use debit cards as well as get cash at physical credit union branches or through ATMs.

MVFCU also said in a post on its website that the credit union is currently unable to access customers’ personal information such as phone numbers and emails and so is relying on website and social media to share updates.
The credit union’s data processor, FedComp, informed MVFCU about the attack on Trellance. FedComp told them Trellance would need to move to a new server system and that it and Trellance were working “around the clock” to restore systems, per a Nov. 30 update from Pope and the board. As of Dec. 4, restoration work was still underway.

“Due to the number of credit unions affected and the volume of work completed in the past couple of days, it will take a little more time to launch our online banking platform,” Pope and the board said.

Ongoing Operations wrote in a Dec. 2 post that its efforts to restore services are making “significant progress.”

The company also said it will notify those impacted once it has determined the full scope of the incident. But that could take a while, with the company saying the “the process of reviewing the files to determine what information may have been involved is lengthy and complex.” At present, it said it has not seen evidence of information being misused.

Ongoing Operations said questions about the incident can be emailed to a dedicated account: support@ongoingoperations.com.

This isn’t the only attack to affect the financial sector recently. Just last week, real estate services company Fidelity National Financial suffered a ransomware attack that impeded customers’ abilities to make mortgage payments.

The NCUA has also been putting more attention on cybersecurity and looking for more information and capabilities.

In September 2023, federally insured credit unions became required to report cyber incidents to the NCUA within 72 hours. In the 30 days following that rule’s enactment, the NCUA received 146 incident reports — about as many as it usually receives during an entire year, per an October statement from NCUA Chair Todd Harper.

The incident with Ongoing Operations is another demonstration of how attacks on vendors can be impactful. Per the October NCUA statement, “more than 60 percent of the cyber incidents reported to the NCUA involve third-party service providers and CUSOs” (credit union service organizations). NCUA advocated for it being granted authority to oversee such credit union vendors.