Cyber breach at SC credit union could threaten 240,000 people, documents say
Confidential personal data of more than 240,000 people may have been stolen last year when a South Carolina credit union was hacked by a group called “Nitrogen,” according to a consumer affairs public disclosure notice.
Ten lawsuits against the SRP Federal Credit Union have also been filed in federal district court in South Carolina alleging major breaches in the credit union’s supposedly secure digital record keeping system.
Official notice of the hacking was given in a public consumer breach notification statement filed in December by the SRP Federal Credit Union with the Maine attorney general’s office. Another notification, with the Texas attorney general’s office, said 750 Texans had been affected.
The S.C. Department of Consumer Affairs did not list a SRP Federal Credit Union cyber breach as of Thursday, Jan. 2.
Officials at the SRP Federal Credit Union, one of South Carolina’s largest credit unions, could not be reached for comment.
The lawsuits, which seek to become a class action against the credit union, allege that the hacker gained access to sensitive personal information of numerous credit union members. The information includes drivers’ license numbers, birth dates, Social Security numbers and financial account information, lawsuits allege.
The customers are now exposed to the dangers of identity theft and fraud, lawsuits allege.
The breach occurred between Sept. 5 and Nov. 4 and was undetected during that time, the lawsuits allege. And the credit union’s customers weren’t notified of the breach until Dec. 12, lawsuits allege.
The Dec. 12 notification letter sent out by the credit union warns customers that their data may have been stolen. The letter also says the credit union has taken steps “to reduce the risk of this type of incident occurring in the future.” The credit union is also offering a free one-year membership in an identity protection service.
The SRP Federal Credit Union has $1.6 billion in assets and more than 180,000 members, according to a recent credit union annual report. It has some 400 full- and part-time employees.
Started in 1960, the credit union is named for the Savannah River Plant — now the Savannah River Site — the nuclear weapons complex in Aiken County, according to a 2008 story in The Augusta Chronicle. The company’s motto is “Good Things Are Happening at SRP,” the annual report says.
But the lawsuits paint a different picture.
“Cybercriminals were able to breach Defendant’s systems because Defendant failed to adequately train its employees” and take other steps to protect customer data, “rendering it an easy target for cybercriminals,” said a lawsuit brought on Dec. 20 by Norman Black, a credit union customer.
SRP Federal Credit Union has refused to tell customers exactly how many people were impacted, how the breach happened and why the credit union delayed “notifying victims that cybercriminals had gained access to their highly private information,” Black’s lawsuit alleged.
The alleged culprit, “Nitrogen Ransomware Group, is an incredibly notorious ransomware actor, having perpetrated multiple high-profile breaches this year alone.” SRP Federal Credit Union should have known to protect itself against such thieves, said Black’s lawsuit.
Stolen personal information “can be worth up to $1,000” on the criminal black market, Black’s lawsuit alleges.
Stolen personal information has been traded on the internet black market for years, and criminals frequently post stolen private information openly and directly on various “dark web” internet websites, making the information publicly available, for a substantial fee, Black’s lawsuit said.
Social Security numbers are particularly attractive targets for hackers because they can easily be used to perpetrate identity theft and other highly profitable types of fraud. Moreover, Social Security numbers are difficult to replace, as victims are unable to obtain a new number until the damage is done, Black’s lawsuit alleged.
Another lawsuit, filed by customer Vincent Cerrato, alleges that the personal data “could equip criminals to commit a wide range of financial crimes. Criminals can trade and monetize Personal Identifying Information that (the credit union) exposed to open new financial accounts, take out loans, obtain medical services, secure government benefits, file fraudulent tax returns, obtain driver’s licenses with their own photographs... and provide false information to police during arrests.”
The lawsuits said the plaintiffs seek unspecified actual and punitive damages.
Cerrato’s lawsuit said he also wants the credit union to appoint “an independent, qualified cyber auditor to monitor (the credit union’s) cyber vigilance, all funded” by the credit union.
The risk of identity theft “and various other forms of personal, social, and financial harm... will remain for their respective lifetimes,” said another lawsuit, filed by customer Christopher Cummings.
“Through the Data Breach, the unauthorized cybercriminal(s) accessed a cache of highly sensitive Private Information, including names, Social Security numbers, driver’s license numbers, dates of birth and financial information, including account numbers and credit or debit card numbers, of at least 240,000 individuals,” Cummings lawsuit said.
The breach was first reported by The Record, a publication that tracks cyber security issues.
The case have been assigned to U.S. District Judge Cameron McGowan Currie.