The Texas Dow Employees Credit Union (TDECU) on Aug. 23 sent letters to more than 500,000 people saying their personal data was compromised during last year’s MOVEit attacks carried out by the Clop ransomware gang.
The MOVEit attacks were first discovered and reported in late May 2023, affecting more than 2,700 organizations and 95 million people.
In a notice on its website, TDECU said it first discovered on July 30 that the personal information of TDECU members was potentially removed from MOVEit by the threat actor between May 29-31 of last year.
The impacted data included full names in combination with dates of birth, Social Security numbers, bank financial account numbers, credit/debit card numbers, driver’s license information and taxpayer identification numbers.
TDECU was quick to add that there was no compromise of TDECU’s broader network security.
Ira Winkler, chief information security officer at CYE, said the TDECU case is a scary indication that organizations frequently lose insight into the data they collect. Winkler pointed out that given the delay in reporting, it’s likely that they were completely unaware of the data that was on a compromised system until recently.
“Data can be extracted from their original sources for a variety of purposes. And if the data is not properly tracked, it not only becomes vulnerable to compromise, but worse, the organizations have no idea it is compromised until it is too late,” said Winkler.
Itzik Alvas, co-founder and CEO and co-founder of Entro Security, added that the TDECU breach stressed the urgent necessity for organizations to prioritize cybersecurity measures, particularly vulnerability assessments and patch management.
"This incident reminds us that the stakes in cybersecurity are incredibly high, and organizations must stay attentive in both internal and external system security," said Alvas. “Regular vulnerability assessments and the swift application of patches are not just best practices, but critical actions that can prevent catastrophic breaches."
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, said that the MOVEit vulnerability — CVE-2023-34362 — continues showing up in the news because of its widespread exploitation and the depth of exploitation. Dunham said while we may tire of hearing about MOVEit, it’s critical for security teams to stay vigilant.
“Readiness is more than planning on paper, it requires regular testing, demonstrating TTPs and defensive measures, testing for operational excellence and gaps,” said Dunham. “It also requires running drills — blackbox, graybox, and whitebox — to continually prepare and adjust to dynamic global threatscape risks to an organization.”
