Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Ransomware Locks Credit Union Users Out of Bank Accounts (arstechnica.com) 27

An anonymous reader quotes a report from Ars Technica: A California-based credit union with over 450,000 members said it suffered a ransomware attack that is disrupting account services and could take weeks to recover from. "The next few days -- and coming weeks -- may present challenges for our members, as we continue to navigate around the limited functionality we are experiencing due to this incident," Patelco Credit Union CEO Erin Mendez told members in a July 1 message (PDF) that said the security problem was caused by a ransomware attack. Online banking and several other services are unavailable, while several other services and types of transactions have limited functionality.

Patelco Credit Union was hit by the attack on June 29 and has been posting updates on this page, which says the credit union "proactively shut down some of our day-to-day banking systems to contain and remediate the issue... As a result of our proactive measures, transactions, transfers, payments, and deposits are unavailable at this time. Debit and credit cards are working with limited functionality." Patelco Credit Union is a nonprofit cooperative in Northern California with $9 billion in assets and 37 local branches. "Our priority is the safe and secure restoration of our banking systems," a July 2 update said. "We continue to work alongside leading third-party cybersecurity experts in support of this effort. We have also been cooperating with regulators and law enforcement."

Patelco says that check and cash deposits should be working, but direct deposits have limited functionality. Security expert Ahmed Banafa "said Tuesday that it looks likely that hackers infiltrated the bank's internal databases via a phishing email and encrypted its contents, locking out the bank from its own systems," the Mercury News reported. Banafa was paraphrased as saying that it is "likely the hackers will demand an amount of money from the credit union to restore its systems back to normal, and will continue to hold the bank's accounts hostage until either the bank finds a way around the hack or until the hackers are paid." Patelco hasn't revealed details about how it will recover from the ransomware attack but acknowledged to customers that their personal information could be at risk. "The investigation into the nature and scope of the incident is ongoing," the credit union said. "If the investigation determines that individuals' information is involved as a result of this incident, we will of course notify those individuals and provide resources to help protect their information in accordance with applicable laws."
While ATMs "remain available for cash withdrawals and deposits," Patelco said many of its other services remain unavailable, including online banking, the mobile app, outgoing wire transfers, monthly statements, Zelle, balance inquiries, and online bill payments. Services with "limited functionality" include company branches, call center services, live chats, debit and credit card transactions, and direct deposits.
This discussion has been archived. No new comments can be posted.

Ransomware Locks Credit Union Users Out of Bank Accounts

Comments Filter:
  • by oldgraybeard ( 2939809 ) on Wednesday July 03, 2024 @05:12PM (#64599205)
    "hackers infiltrated the bank's internal databases via a phishing email" How does that even work. Who designs systems like this?
    • Comment removed based on user account deletion
    • by oldgraybeard ( 2939809 ) on Wednesday July 03, 2024 @05:20PM (#64599225)
      More importantly! Who builds and runs an operation this broken!
      And when do we find out the name of the Microsoft partner involved in this standard admin and security outsourcing disaster!!
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        More importantly! Who builds and runs an operation this broken! And when do we find out the name of the Microsoft partner involved in this standard admin and security outsourcing disaster!!

        It's the curse of hiring point-and-click admins.
        I manage IT in the healthcare space. Several hundred clients.
        Two offices have been cryptolocker'd in the last 18 years that we've been doing this.
        They were specific targeted attacks--AV didn't even remotely detect a problem.
        But our internal monitoring system alerted us when it noticed files being changed--files that should basically be write-once-read-many or operations on folders that might see 5-10 writes per year...or our canary tokens disappeared.

        We

    • Microsoft, it is always Microsoft

      • by gweihir ( 88907 )

        Not only. It is also the morons buying and using Microsoft toy-level "systems" for critical functions. If the customer is incompetent and greedy, the market stops working.

    • "How does that even work."

      The most obvious way would be that the email got somebody with a lot of privileges to type his credentials into a site controlled by the hackers.

      Of course, this raises the questions--where was the 2FA? Where was restricting access to the bank's own VPN?

      • by gweihir ( 88907 )

        And also, why did system administration tasks not require the use of separate, dedicated and hardened systems?

      • by ls671 ( 1122017 )

        "How does that even work."

        The most obvious way would be that the email got somebody with a lot of privileges to type his credentials into a site controlled by the hackers.

        Of course, this raises the questions--where was the 2FA? Where was restricting access to the bank's own VPN?

        I asked them and they replied: "What's a VPN?" /s

    • by gweihir ( 88907 ) on Wednesday July 03, 2024 @07:14PM (#64599457)

      "hackers infiltrated the bank's internal databases via a phishing email" How does that even work. Who designs systems like this?

      Simple: Greedy scum C-levels hiring cheap, incompetent people and then giving them not enough money and time on top. Also, clearly a regulatory failure. In the banking systems I know, you have separate hardware to even access anything really critical and no regular email or web access or anything, really, from those systems. Of course, that costs money. Money that can be better spent on undeserved bonuses for the C-levels.

    • by AmiMoJo ( 196126 )

      It probably wasn't designed at all. Just built up over decades, contractors asked to write software to fulfil specific needs, no consideration for the overall system or integrated security.

  • "Hit by attack" (Score:3, Insightful)

    by gavron ( 1300111 ) on Wednesday July 03, 2024 @05:31PM (#64599251)

    Nobody was "hit by attack." They incompetently didn't bother to secure their systems.

    Can't be bothered to close the safe when your credit union closes for the night? Don't blame the people who robbed you and pretend you had nothing to do with it but HERE IS ONE YEAR OF LIFELOCK WOOHOO!

    Any facility hosting financial or PII should be put out of business the very next day. If they can't be bothered to do the bare minimum they shouldn't bother at all.

    If you disagree, have a year of LIFELOCK with credit lock. So now you can't sue those people who literally gave away your PII.

    Close them down. The excuses just keep on getting stupider.

    • Re:"Hit by attack" (Score:4, Insightful)

      by Baron_Yam ( 643147 ) on Wednesday July 03, 2024 @05:40PM (#64599273)

      There are two groups offenders - the cyber criminals, and the negligent credit union staff.

      However, if you're going to ask me to rank the two... the latter are only negligent because of the criminal acts of the former. Hang those in the public square as an example, the negligent staffers can enjoy unemployment.

      • by gweihir ( 88907 )

        Ah, the usual crap bogus excuse. The negligent C-levels (and that is where the rot usually sits) should go to prison for something like this or nothing will change. Sure, the attackers will go to prison long-term if ever caught, but that does not excuse inadequate IT security at a frigging _bank_ at all.

        • by ksw_92 ( 5249207 )

          Taking your line of thought to the extreme: we should be putting rape victims in prison because "they asked for it, with their big tits and loose ways", right?

          Ransomware is rape, writ large. If women (or whatever sex/gender is targeted...can't have the Alphabet Team up in arms over being left out) had to follow what we expect of IT, they'd be best served by being locked in a high castle tower with dragons for guards. How would they ever get a date, or procreate?

          Zero-days and weak staff will always be an iss

          • In a modern civilized nation with the rule of law and a moderately effective police service, you can usually afford to be less brutal with punishments. The goal, obviously, is to maximize your happy and productive citizenry and that includes rehabilitating criminals.

            However, we appear to have forgotten an old rule - the more difficult it is to catch a particular type of criminal, the harsher the punishment; the perceived risk/reward has to be high. If cyber crime is something you can mostly get away with

    • by gweihir ( 88907 )

      Indeed. No bank should ever have IT security that cheaply and badly done that they can even be really hit by ransomware. And "weeks to recover"? That is simply ridiculous. They cannot have invested anything into BCM and DR tests and are probably doing the absolutely bare minimum there. Greed at work. This disaster should result in personal penalties for those responsible, starting with the CEO.

  • by tanimislam ( 1452305 ) on Wednesday July 03, 2024 @05:37PM (#64599267) Homepage
    This has been an interesting experience for me. I wonder whether I should contribute to the Wikipedia article about this debacle in 6 months' time. The best communication I found comes from this reddit post by Patelco members: https://www.reddit.com/r/bayar... [reddit.com]
    • Comment removed based on user account deletion
      • Nope, this is one of those "experience is the best teacher" sort of situations. Right now, my parents' account is the Plan B. As soon as possible, switching to other accounts and keeping the minimum allowable balance (and closing my high interest savings account).
  • Maybe not that cheap after all? Would definitely be a good thing if this kills them with customers leaving.

  • I know credit unions have become super creative about defining their supposedly limited markets, but ... WTH is this?

    A credit union for families named "Patel"?

  • shouldn't there be a redundant isolated failsafe restorable tested base state? No? Really?

  • This is why I have about 500 cash sitting around in paper and money at 2 different banks.

Hackers are just a migratory lifeform with a tropism for computers.

Working...