Cyber attack on SRP Federal Credit Union compromised the data of 240,000 individuals

South Carolina-based finance company SRP Federal Credit Union said hackers infiltrated its systems between September and November and stole the sensitive personal information of almost a quarter of a million individuals.

Founded in 1960, SRP Federal Credit Union provides savings programs, checking accounts, competitive loan options, and a variety of other convenient services tailored to fit over 195,000 members.

The credit union told the Office of Maine Attorney General through a security incident notification Thursday that it detected suspicious activity in its internal network. According to the filing, SRP FCU launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

It also took steps to secure its systems, implemented its incident response protocols and notified law enforcement agencies about the incident.

“The forensic investigation determined that an unknown, unauthorised third party accessed our computer systems at times from September 5, 2024, and November 4, 2024, and potentially acquired certain files from our network during that time,” reads the notice.

The credit union said the data accessed by the hackers included names and other personal identifiers. It said in its filing with the Maine state regulator that at least 240,742 individuals were impacted by the incident. It has, however, confirmed that the incident did not impact its online banking system or core processing system.

While the credit union found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

SRP FCU has also offered one year of complimentary identity protection and credit monitoring services through Experian Credit 3B to all affected individuals.

Earlier this month, a group of threat actors going by the name Nitrogen ransomware group claimed responsibility for the cyber attack on SRP FCU and listed it as a victim on its data leak site. The group claimed to be in possession of 650 GB of confidential customer data, including full names, SSNs, dates of birth, addresses, account numbers, and credit ratings and offered to sell the data for $400,000.