SAN DIEGO—CUSO Financial Services here, which provides investment services for credit unions, has reported a data breach incident believed to have affected 75,116 individuals.
CFS has filed a notice of the breach with the Attorney General of Maine after discovering that an incident at a third-party service provider resulted in unauthorized access to a CUSO employee’s account, JD Supra reported.
In this notice, CUSO Financial Services explained the incident resulted in an unauthorized party being able to access consumers’ sensitive information. Upon completing its investigation, CFS began sending out data breach notification letters to all 75,116 individuals whose information was affected by the security incident, JD Supra explained.
The breach comes at a time when NCUA is expressing growing concerns over credit unions’ exposure to data breach incidents through third parties. During its October open board meeting, NCUA said it may consider adjusting the normal operating level of the NCUSIF due to the growing risk third-party cyber incidents present to the fund. NCUA data show that since the agency’s cyber incident notification rule took effect last September, through Aug. 31, there were 1,072 cyber incidents reported involving credit unions, and 742 were related to third parties.
Suspicious Activity
The CFS filing with the Attorney General of Maine states that on Jan. 19, 2024, the organization learned of suspicious activity involving a third-party service provider that CFS uses for archiving communications, which is required under FINRA, JD Supra explained.
In response, CFS launched an investigation, ultimately confirming that an unauthorized person was able to access a CFS employee’s account between Dec. 19, 2023, and Jan. 19, 2024. It was later determined that the unauthorized party could accessed certain confidential information while in the employee’s account, JD Supra said.
After learning that sensitive consumer data was accessible to an unauthorized party, CUSO Financial Services reviewed the compromised files to determine what information was leaked and which consumers were impacted. CFS recently completed this review process, JD Supra said.
On October 28, CFS sent out personalized data breach letters to anyone who was affected. The filing with the Maine Attorney General does not list the data types that were leaked, JD Supra said.