First Commonwealth Federal Credit Union over the weekend confirmed it notified 98,809 people about a June 2024 data breach that compromised names, Social Security numbers, dates of birth, and account numbers.
Ransomware gang Meow claimed responsibility for the attack. The group posted 400 GB of allegedly stolen data for sale at a price of $100,000 on its leak site, which could indicate that ransom negotiations with First Commonwealth failed. Meow says it stole “contracts, accounting records, risk management data, HR documents, audit reports, bank files, financial details, payroll info, tax documents, and much more.”
First Commonwealth has not verified Meow’s claim. We don’t yet know how attackers breached the credit union’s network. Comparitech contacted First Commonwealth for comment and will update this article if it responds.
The credit union’s notice to affected customers reads, “On June 27, 2024, we discovered unusual activity in our digital environment. Upon discovering this activity, we immediately took steps to contain it and launched an investigation, aided by independent cybersecurity experts, to determine what happened and whether sensitive information may have been affected. As a result of the investigation, we learned that an unauthorized actor acquired certain files and data stored within our systems on or around June 26, 2024.”
We recommend victims take advantage of the free identity theft protection offered by First Commonwealth via IDX.
Who is Meow?
First identified in 2022, Meow’s ransomware builds upon Conti, an older strain. Evidence suggests Meow steals data and holds it for ransom, but it might not encrypt files. Data theft and extortion without encryption is an increasingly popular trend for attackers.
To date we have tracked five confirmed attacks via MEOW — all of which have been in the US. The others are Vanderbilt University Medical Center, Bladen County, Katsky Korins LLP, and Tulane University (all from 2023). Katsky Korins LLP was the first confirmed attack from September 2023.
MEOW tends to demand small(er) ransoms for stolen data. Across the 45 unconfirmed attacks claimed by Meow, the average ransom demand was just under $18,000.
Five of the aforementioned unconfirmed attacks were on finance companies: three in the US, one in the Seychelles, and one in Nigeria.
Ransomware attacks on US finance
A ransomware attack on a financial business, e.g. a bank, insurance company, or accounting firm, has the potential to cause chaos and and puts crucial customer data at risk.
Comparitech researchers recorded 19 confirmed ransomware attacks on US financial institutions so far in 2024, affecting 27,461,095 records. While the number of attacks is significantly lower than last year (55), the number of records affected is nearly triple (10,783,045). This is due to the large attacks on LoanDepot (16.9 million) and Evolve Bank & Trust (7.6 million).
The average ransom across 2023/24 is just over $1.3 million.
We further tracked 78 unconfirmed ransomware attacks on this sector so far in 2024.
About First Commonwealth Federal Credit Union
First Commonwealth is one of the largest credit unions in the Greater Lehigh Valley of Pennsylvania. It manages $1.4 billion in assets and operates 16 locations.