‘Texas Dow Employees Credit Union’ Data Breach Impacts More Than 500,000 Individuals 

• The U.S. Texas Dow Employees Credit Union announced more than 500,000 people have had their personal data exposed.
• The large credit union was a victim of the massive 2023 MOVEit security incident claimed by Cl0p Ransomware.
• Impacted individuals are to receive complimentary credit monitoring services.

The largest Houston-area credit union, Texas Dow Employees Credit Union (TDECU), started notifying 500,474 individuals who were affected by the May 2023 data breach that allowed unauthorized access to sensitive customer data. The company discovered the hack on July 30, 2024.

The significant credit union was one of the many organizations impacted by the Cl0p ransomware group’s exploit of the zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer managed file transfer (MFT) software.

The ransomware gang gained access to files transferred via the MOVEit software that contained names, dates of birth, Social Security numbers, bank account details, credit card data, driver's license numbers, and taxpayer identification numbers.

In the filing, the credit union announced offering 12 months of free credit monitoring services to individuals whose data was exposed and encouraged them to place fraud alerts on their credit files or request a security freeze in case they suspect any fraudulent activity.

Despite the large-scale data breach, the organization's internal network remained uncompromised, and TDECU has not reported any incidents of identity or financial fraud resulting from the third-party software security incident.

Cybersecurity firm Emsisoft estimates that the MOVEit campaign impacted more than 2,700 organizations and approximately 96 million individuals.

Other notable breaches include the HealthEquity 2024 breach, which affected 4.3 million individuals. An attacker stole the health tech services provider’s data from a third party with access to HealthEquity’s SharePoint data.

Recently, the Committee on Foreign Investment in the U.S. accused T-Mobile of failing to implement adequate security measures and report security breaches in due time, issuing a $60 million fine. In the past six years, T-Mobile data branches exposed millions of customers’ sensitive information.