On August 2nd, the First Commonwealth Federal Credit Union (First Commonwealth), headquartered in Lehigh Valley, PA, issued a statement on its website acknowledging that it had been the victim of a “security incident”. According to the financial cooperative, the data breach was carried out around June 26th by “an unknown actor”.
In the central part of the statement, First Commonwealth mentions that
[…]First Commonwealth is not aware of any evidence of the misuse of any information potentially involved in this incident.[…]
In the closing lines of the statement, the financial cooperative lists the types of data that, according to them, were affected by what they consider to be (just) an “incident”.
[…]The following information may have been involved in the incident: names, addresses, Social Security numbers, dates of birth, or account numbers.[…]
[…]Our collection includes extensive databases containing critical information such as contracts, accounting records, risk management data, HR documents, audit reports, bank files, financial details, payroll information, tax documents, and much more.[…]
Screenshot and redaction by SuspectFile.com
We mentioned at the beginning of the article that on August 2, First Commonwealth published a statement acknowledging the data theft from its IT systems. On the same day, they also sent copies of the notification letters to at least five Attorneys General from the states of Maine, Massachusetts, Montana, New Hampshire, and Vermont (these are the only U.S. states where SuspectFile.com was able to verify the presence of the notification letter issued by the financial cooperative).
The states of Maine and Indiana, unlike the other 48 U.S. states, are the only two states that, in the event of a data breach involving even a single resident, also make public the total number of victims.
Total number of victims whose data was stolen: 98,809
– Maine: 28
– Massachusetts: 80
– Montana: 8
– New Hampshire: ~28
– Vermont: ?
In the statement, First Commonwealth reported that the stolen data included:
– Names
– Addresses
– Social Security numbers
– Dates of birth
– Account numbers
SuspectFile.com had the opportunity to review a dozen exfiltrated data files not yet made public by the Meow Leaks group. We can confirm that the quality of the stolen data extends beyond what was declared by the financial cooperative. Additionally, it’s important to note that, besides the six files published by the cybercriminal group on their blog as proof of possession, there are approximately 400GB of documents that Meow Leaks claims to have and that could be purchased by anyone at any time. This data could potentially be used for criminal purposes, such as identity theft, phishing, or smishing campaigns.
Below is the type of files we found among those we were able to review. We do not know if there are similar files or different types among the thousands of files exfiltrated by the cybercriminals:
– Driver’s license
– Identification card
– Death certificate
– Health insurance policy
– Certification of Health Care Provider for Family Member’s Serious Health Condition (Family and Medical Leave Act)
– Form 1040
– Email addresses
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
We’ve emphasized repeatedly that one of the foremost responsibilities of any public or private entity handling large amounts of sensitive data, whether from employees or private citizens, is to diligently protect that data. All too often, we’ve seen statements addressing the aftermath of cybercriminal activities without acknowledging significant network management failures or admitting inadequate investments in cybersecurity.