The fallout from last summer’s ransomware attack on California’s Patelco Credit Union continues. State regulators have fined Patelco $100,000 and ordered it to implement a new cybersecurity program, which includes hiring a security consultant and providing training for all employees.
But Patelco’s troubles don’t end there. The credit union is also facing a class-action civil lawsuit in state court, as well as a federal lawsuit filed by two of its members. Since news of the attack broke, Patelco’s membership has dropped by nearly 9,000, according to call reports filed with the NCUA.
The breach has also led to many instances of what Patelco describes as first-party fraud. In October, two members filed a lawsuit claiming they discovered 26 fraudulent transactions on their account, all made using the Apple Cash app, totaling more than $14,000.
According to court filings, Patelco denied that the transactions were fraudulent. The credit union said that the decline in membership following the attack was because of accounts it had closed for first-party fraud.
The attack, which began last June, disrupted Patelco’s online banking services for weeks and exposed the personal information of more than a million customers and employees.
Patelco says it did not pay a ransom to the hackers but reported losses of more than $39 million in Q3 2024, attributing them to covering overdrafts for its members after the attack.
Taking Precautions After the Fact
The consent decree, agreed to by both Patelco and California’s Commissioner of Financial Protection and Innovation, requires the credit union to designate a qualified individual to oversee its cybersecurity program. Patelco must also maintain a training program to ensure its employees understand the risk profile and compliance obligations.
In addition, Patelco is expected to hire a qualified, independent, and unaffiliated third-party compliance consultant to support its efforts to enhance the cybersecurity program and to maintain independent testing.
Cybersecurity experts agree that financial institutions should proactively address these incidents and implement the measures that Patelco is only now taking.
“Our main recommendation would be heightened education for credit union staff, about socially engineered schemes that come in via email and to the call center,” said Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research. “Additionally, they should invest in cybersecurity insurance policies that cover ransomware attacks, ensuring that losses are covered.”
Often, after such attacks, weaknesses in the security apparatus become glaringly obvious. Following a cyberattack on Change Healthcare last year, its parent company, UnitedHealth, admitted that it hadn’t been using multi-factor authentication to secure its most critical systems.
