ROCKVILLE, Md.—The $2-billion Lafayette Federal Credit Union may have suffered a data breach, JD Supra reported.
The credit union, according to JD Supra, has filed a notice of data breach with the Attorney General of California after discovering that an unauthorized party gained access to an LFCU employee’s email account.
“In this notice, LFCU explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information. Upon completing its investigation, Lafayette Federal Credit Union began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident,” JD Supra explained.
JD Supra noted that the Lafayette breach was only recently announced, adding more information is expected in the near future. The number of potential members impacted was not shared.
JD Supra said the filing explained what led up to the breach. According to the filing, LFCU recently learned that an unknown party had gained access to an employee’s email account. In response, LFCU secured the affected account and then launched an internal investigation. Lafayette FCU also brought on a team of cybersecurity experts to confirm the security of the company’s email system and assist with the investigation.
Through its investigation, LFCU confirmed that an unauthorized party was able to access the employee’s email account—including emails and attachments containing confidential consumer information—on Sept. 16, 2024, JD Supra said.
After learning that sensitive consumer data was accessible to an unauthorized party, Lafayette Federal Credit Union reviewed the compromised files to determine what information was leaked and which consumers were impacted. LFCU completed this process on Feb. 5, 2025.
“While the publicly available data breach letter posted on the California Attorney General’s Search Data Security Breaches web page doesn’t mention what data types were leaked, on March 20, 2025, Lafayette Federal Credit Union sent personalized data breach letters to anyone who was affected by the incident. These personalized letters should provide victims with a list of what information belonging to them was compromised,” JD Supra said.