Credit Unions Currently Facing Disruptions Due to a Cyber Incident

In late November, Ongoing Operations, a credit union solutions provider, fell victim to a cyber incident. Approximately 60 credit unions are currently facing disruptions due to the aftermath of this attack.

Around 60 credit unions are said to be facing operational disruptions following a recent cyber incident, as reported by The Record based on information from the National Credit Union Administration (NCUA). The attack targeted a widely used third-party provider in late November, adding to the growing list of cyber incidents impacting critical infrastructure.

Ongoing Operations, a company specializing in credit union-focused cloud and business continuity solutions and owned by Trellance, disclosed an “isolated cybersecurity incident” on November 26, according to a notice issued by the company.

Multiple credit unions, reporting incidents to the NCUA, indicated that Ongoing Operations informed them the incident involved ransomware, according to The Record.

Ongoing Operations opted not to respond to inquiries from GovTech regarding the details of the incident and service restoration efforts.

Among the affected credit unions is Mountain Valley Federal Credit Union (MVFCU). In a December 4 update, MVFCU CEO Maggie Pope and the board of directors noted that the credit union’s data processing system “remains non-operational.” However, customers can still use debit cards and access cash at physical credit union branches or through ATMs.

MVFCU also communicated on its website that the credit union is presently unable to retrieve customers’ personal information, including phone numbers and emails. As a result, the institution is relying on its website and social media channels to disseminate updates.

FedComp, the credit union’s data processor, alerted MVFCU to the attack on Trellance. According to a November 30 update from Pope and the board, FedComp conveyed that Trellance would need to transition to a new server system, and both entities were diligently working “around the clock” to restore systems. As of December 4, the restoration efforts were still in progress.

Pope and the board mentioned in their update on December 4 that, due to the scale of credit unions affected and the extensive work undertaken in recent days, additional time was required to launch the online banking platform.

Ongoing Operations, in a December 2 post, reported significant progress in restoring services and expressed the intent to notify those affected once the full extent of the incident is determined. However, the company acknowledged that the process of reviewing files to ascertain potential information exposure is intricate and time-consuming. Currently, there is no evidence of information misuse.

In case of inquiries about the incident, Ongoing Operations provided a dedicated email address:

This incident is not isolated, as evidenced by a recent ransomware attack on Fidelity National Financial, a real estate services company, affecting customers’ ability to make mortgage payments.

The NCUA has intensified its focus on cybersecurity and information gathering. Since September 2023, federally insured credit unions are mandated to report cyber incidents to the NCUA within 72 hours. Within the initial 30 days of this rule, the NCUA received 146 incident reports, equivalent to its typical annual intake, as stated by NCUA Chair Todd Harper in October.

The Ongoing Operations incident underscores the impact of vendor attacks. As per the October NCUA statement, “more than 60 percent of the cyber incidents reported to the NCUA involve third-party service providers and CUSOs” (credit union service organizations). The NCUA is advocating for authority to oversee such credit union vendors.