Tell HN: Patelco Was Hacked
Just got an email from their CEO. They got hacked. No ETA in sight.
Dear XXXX,
We are writing to let you know that on June 29, we experienced a serious security incident. This required us to shut down some of our day-to-day banking systems so that we can remediate the issue and contain the impact, including online banking, our mobile App, and our call center. Currently, electronic transactions such as transfers (including Zelle), direct deposit, balance inquiries, and payments are unavailable. Debit and credit card transactions function in a limited capacity.
Patelco branches, our call center and Live Chat will be open and ready to assist as much as they can during our regular business hours starting tomorrow, Monday July 1.
For cash withdrawals and deposits, you can access Patelco ATMs, including over 30,000 shared branch ATMs all over the country. Find your nearest branch and ATM (including hours of operation) at patelco.org/locations.
Our teams are working around the clock with top-tier cybersecurity experts to assess the situation and to restore service to you. Unfortunately, we are unable to provide an ETA on when those systems will be running as expected.
Your trust and partnership are of the utmost importance to us, and we are committed to resolving this issue with the highest level of diligence. We know this news is concerning, and we are committed to keeping you informed as the investigation continues.
Thank you for your patience and understanding as we navigate this challenging situation.
Sincerely,
Erin Mendez
President & CEO
Patelco Credit Union Still down. I have Zelles to send and receive (I moved over the last few days) and this going to be problematic for me soon. I'm a customer with checking and a credit card there. Was down at least since 6 a.m. on Saturday morning PDT, which is when access first failed for me. I am trying to confirm if MOVEit Transfer was involved...does anyone know if it was? If not does anybody have any technical details? Patelco's finally fixed their site and added a slightly more detailed response: https://www.patelco.org/securityupdate tl;dr it was a ransomware attack. despite customers complaining about a barrage of fraudulent activity Patelco claims that credentials and other PII has not been exposed. Yeah. Right. Vague, wouldn't trust my $ to these guys. I work in cybersecurity and am a customer of a rival CU in the same region. I think it’s too early to criticize. In the first 48 hours of a data breach, everything is chaos. Let their IT team get an estimate of how bad the situation is and try to triage as best as possible. From their business standpoint, it’s better to be a little slow to report what is happening than it is to be quick and inaccurate. It’s better to proactively shut down services early to reduce the possibility of propagation of the breach. From the customer standpoint, the experience sucks no matter what happens, but it can suck less if the company focuses on stopping the spread and recovery as fast as is reasonably possible. Also, this appear to have happened over a weekend, so getting all of the employees, vendors, Board of Executives, lawyers awake, on the same calls, and come up with the deliverables is much slower than 10a on a Tuesday. I'm actually a customer of Patelco and wouldn't say it's too soon to criticize. They've had multiple widespread outages over the past three or four years and still haven't figured out basic communication stuff. Security just isn't Patelco's thing. E.g. I've a "passphrase" set on my account and about 1 in 5 tellers actually verifies it before giving me access to my account in person. So far nobody I've talked to over the phone has ever bothered. Their old PC-24 online banking platform did some pretty obviously insecure things, but they've since switched to a "more modern" banking platform. Welp. It's been so long I don't remember why I had a real dim view of the new product, but again if the reddit peanut gallery is to be believed they were sending out credentials and whatnot in plain text. I'm only a member because their computer glitches worked in my favor. As sloppy as Patelco is, they still give off an air of being more professionally run than some of the other smaller Bay Area credit unions. A reminder that we should have multiple bank accounts and spread our paycheck direct-deposits among them.
I saw some complaints on reddit that this started on Friday. No matter. Patelco is a financial institution with about $9 billion in assets. They can afford to and should have people on call during the off hours. 3–4 days is an unacceptable response time. This isn't some wanky ChatGPT bullshit, this is folks' money. Also, this appear to have happened over a weekend, so getting all of
the employees, vendors, Board of Executives, lawyers awake, on the same
calls, and come up with the deliverables is much slower than 10a on a
Tuesday.