By Roy Urrico
The $1.8 billion North Augusta, S.C.-based SRP Federal Credit Union reported in Dec. 2024 a major data breach that potentially accessed and copied files containing the sensitive personal information of 240,742 individuals. The volume and sensitivity of the exposed data raised alarm among legal and cybersecurity experts alike.
Based on a subsequent forensic examination, SRP FCU, with 19 locations in South Carolina and Georgia, revealed that cybercriminals penetrated its network and gained access to its data files between September 5, 2024 through Nov. 4, 2024.
According to the data breach notification documents filed in Maine and Texas, SRP FCU uncovered the data breach on Nov. 22, 2024. The credit union told regulators in its breach notifications that information leaked included names, Social Security numbers, driver’s license numbers, dates of birth and financial information like account numbers as well as credit or debit card numbers.
SRP FCU did not disclose who was behind the attack. However, on Dec. 5, 2024, the cybersecurity management firm Hackmanac reported the Ransomware Nitrogen Group Hackmatack claimed responsibility for stealing 650 gigabytes of customer data. according to the online cyber publication The Record.
The credit union could face legal challenges following the data breach, as attorneys from Murphy Law Firm and Migliaccio & Rathod LLP are investigating claims on behalf of individuals claiming personal information exposure. The firms are also encouraging affected individuals to join a potential class-action lawsuit.
Credit Unions and Cybersecurity Threats
“Cybersecurity is both a technological and cultural challenge,” Brad Blumberg, co-founder of Aster Key, an app that empowers consumer to anonymize, organize, and encrypt financial data on mobile phones, told Finopotamus. He added, “The C-suite, from small credit unions to mortgage firms of all sizes, must prioritize key actions to mitigate risks. They must implement strict access controls and enforce role-based access and least privilege for all employees. They also need to adopt multi-factor authentication and require it for all devices and systems.”
Blumberg also recommended, “Companies should explore more than ‘industry standard’ practices; they should embrace consumer empowerment, giving consumers control over their data with secure and private practices. Data sharing should be limited. Companies should be cautious when sharing data with vendors that do not meet security standards, and re-look at offshoring their customer's data. They should also advocate changes in outdated systems, such as credit bureau invasive practices and third-party tools that compromise data security.”
Challenges of Identity Threats
In 2023, about 60 credit unions dealt with widespread outages after a ransomware attack on a third-party service provider according to the NCUA. The regulators had to step in to provide assistance after thousands of people could not access accounts for days.
The NCUA, in its Cybersecurity and Credit Union System Resilience Annual Report to Congress in June 2024, underscored the importance of the NCUA obtaining vendor authority to address these risks. “During the incident, the NCUA faced substantial difficulties in obtaining crucial information from third-party vendors, which hindered response efforts,” the report noted. “Due specifically to the NCUA’s lack of vendor authority, the NCUA encountered delays in communication and inability to obtain data.” The NCUA maintained it could have mitigated these obstacles if it had the authority to demand timely and reliable information from all relevant parties.
Nevertheless, less cybersecurity regulations, particularly for identity crimes, remain concerning, according to the El Cajon, Calif.-based Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime.
In its 2025 predictions, the ITRC expects self-regulation to make a comeback. “Self-regulation, where industries develop best practices and standards, was all the rage in the 1990s and 2000s. While such approaches allow for flexibility and innovation, they also lack the enforcement mechanisms and oversight of formal regulations. Without mandated requirements, sophisticated fraud enterprises will take advantage of inconsistent protections, leading to increased identity crimes and consumer distrust. Businesses will face greater reputational and financial risks due to breaches and fraud that stricter regulatory frameworks would help prevent.”