60 U.S. Credit Unions Hit by Supply Chain Cyber Attack

Just three months after the National Credit Union Administration (NCUA) put into place a final rule requiring federally chartered and federally insured credit unions to notify NCUA of a "reportable cyber incident," about 60 credit unions in the United States experienced outages because of a ransomware attack on an IT provider the institutions use, according to a U.S. federal agency.

The final NCUA rule went into effect on September 1, 2023, requiring that affected credit unions should notify the NCUA "as soon as possible and no later than 72 hours" after the credit union "reasonably believes" the incident has occurred.

According to a report in The Register:

"A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the U.S., all of which were relying on the attacked vendor. 

This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this week by the intrusion. The NCUA regulates and insures these financial orgs.

'I can confirm that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider,' the NCUA spokesperson said. 'Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000.'

We're told the unions' IT provider Ongoing Operations—ironic—was hit by ransomware on Sunday, sparking days of disruption for the biz's clients. It's believed the cloud provider was infiltrated via the Citrix Bleed vulnerability."

This Tripwire blog post, "Supply-chain ransomware attack causes outages at over 60 credit unions," further breaks down the parties to blame for the incident:

"There are a few moving parts here, so here's a quick summary:

• Trellance — A provider of solutions and services used by credit unions, and the parent company of FedComp
• FedComp — A provider of software and services that enable credit unions to operate around the world
• Ongoing Operations — A unit of Trellance, which specialises in disaster recovery and business recovery, providing cloud services to credit unions to ensure that their business activities 'operate without interruption, even when nothing else seems to be going well.'

National Credit Union Administration (NCUA) spokesperson Joseph Adamoli told the media that several credit unions were informed at the start of this month by Ongoing Operations that it had been hit by a ransomware attack.

In an update on its website, Ongoing Operations describes how it experienced the 'isolated cybersecurity incident' on November 26, 2023, and 'took immediate action to address and investigate.'"

A blog post earlier this year from Davis Wright Tremaine LLP, titled "NCUA Approves 72-Hour Cyber Incident Reporting Requirement for Credit Unions," broke down the new NCUA rule and its implications:

"The final rule, which amends NCUA's regulations at 12 C.F.R. part 748, defines a 'cyber incident' as 'an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system or actually or imminently jeopardizes, without lawful authority, an information system.'"

A 'reportable cyber incident'—one that must be reported to NCUA within 72 hours—means a 'substantial cyber incident' leading to one or more of these outcomes:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system… that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services… or has a serious impact on the safety and resiliency of operational systems and processes;
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; and/or
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise."

The NCUA is taking a number of steps to address the threat of cyberattacks, including:

• Issuing cybersecurity guidance: The NCUA has issued a number of cybersecurity guidance documents that provide credit unions with information on how to protect themselves from cyberattacks.
• Conducting cybersecurity examinations: The NCUA conducts cybersecurity examinations of credit unions to assess their cybersecurity risks and practices.
• Providing cybersecurity resources: The NCUA provides a number of cybersecurity resources to credit unions, including training materials and threat assessments.