CFS and ALEC report system breaches impacting 100,000 individuals

San Diego-based broker-dealer CUSO Financial Services (CFS) and Abbott Laboratories Employees Credit Union (ALEC) have reported significant cybersecurity breaches this month, affecting the personal information of over 100,000 individuals. Both organizations disclosed the incidents to the Maine Attorney General’s Office as they continue investigations with cybersecurity specialists.

According to CFS, an external system breach compromised the information of 75,116 people months after an earlier email security event in February impacted an additional 25,692 individuals. CFS, a San Diego-based broker-dealer that partners with credit unions nationwide, first noticed suspicious activity related to a third-party communications archiving provider on Jan. 19, 2024. An investigation later confirmed that an unauthorized party accessed a CFS employee account, potentially exposing sensitive information, including names, addresses, Social Security numbers, and account numbers. Although the initial breach was detected in January, it was only uncovered on Sept. 10.

In October, CFS also reported a vulnerability in an email application, Barracuda Networks, which allowed unauthorized access to historical emails and attachments dating back to July 5, 2022. CFS could not determine which emails were accessed but has since confirmed that the security vulnerability is resolved and has reported the incident to federal law enforcement.

Similarly, ALEC, a credit union in Gurnee, Illinois, notified 36,044 members of an external system breach occurring on Aug. 2. The breach was discovered on Sept. 23, and an investigation found that an unauthorized third party accessed a single employee email account. ALEC’s forensic analysis determined that sensitive member data, including Social Security numbers, addresses, and account numbers, may have been exposed. ALEC has since strengthened its email security protocols and offered affected members one year of complimentary identity theft protection through Experian IdentityWorksSM Credit 3B.

Both CFS and ALEC have informed federal law enforcement of the breaches and provided impacted individuals with identity theft protection services. Neither organization has reported any fraudulent activity stemming from these incidents.