South Carolina-based SRP Federal Credit Union has reported a significant data breach impacting over 240,000 individuals. The breach, linked to a three-month-long cyberattack from September 5 to November 4, resulted in the exfiltration of sensitive client information of over 650 GB of data. The credit union concluded its investigation on November 22, stating that files were potentially exfiltrated during the breach window. While SRP reported no known instances of fraud or identity theft resulting from the incident, it offered affected members complimentary access to Experian’s identity theft protection services for one year.
On December 5, the cybersecurity management firm Hackmanac disclosed on the social media platform X that the Nitrogen ransomware group had taken credit for the SRP Federal Credit Union data breach. The post included images allegedly depicting leaked data from the credit union, presented as proof of the attack.
The Nitrogen ransomware group, first identified in mid-2023, is known for its rapid deployment of ransomware attacks. The group utilizes malvertising techniques, leveraging pay-per-click ads on platforms like Google and Bing to direct victims to compromised websites hosting trojanized software downloads. These websites mimic legitimate software providers, tricking victims into downloading compromised versions of tools such as AnyDesk and Cisco AnyConnect.
SRP first detected suspicious activity within its network in November 2024 and subsequently notified law enforcement. A forensic investigation revealed unauthorized access to the credit union’s systems during the breach period, potentially compromising extensive customer information. Prolonged access provides attackers with ample time to navigate systems, exfiltrate data, and cover their tracks The delayed discovery raises questions about the effectiveness of intrusion detection systems and monitoring protocols in place.
In a filing with Texas regulators, SRP disclosed that hackers accessed names, Social Security numbers, driver’s license numbers, dates of birth, and financial information, including account numbers and credit or debit card numbers. However, the credit union assured that its core processing systems and online banking platforms remained unaffected.
SRP’s notification to Maine regulators was more limited in detail, referencing only names and government-issued identification as compromised. Despite these disclosures, SRP has not confirmed Nitrogen’s claims or provided details on how the attack occurred. Understandably, the inconsistency in reporting across states reflects a fragmented regulatory landscape for data breaches, where varying requirements can result in incomplete or non-uniform disclosures. This lack of standardization leaves consumers with an unclear understanding of the true extent of breaches.
Although the proactive provision of identity protection services is a positive step, it also reflects a reactive posture that signals gaps in preemptive security measures. Such breaches erode consumer trust and place long-term reputational risks on financial organizations. This breach comes on the heels of other notable cyberattacks targeting financial institutions, such as the attack on Northern California’s Patelco Credit Union. The rise in ransomware operations, including Nitrogen, underscores the growing threat to financial organizations worldwide.
The credit union may soon find itself entangled in legal battles following the breach, as Oklahoma City-based Murphy Law Firm has begun investigating claims on behalf of individuals whose personal information was compromised. The firm, known for its proactive stance on data privacy litigation, is not just stopping at inquiries; it is actively encouraging affected individuals to consider joining a potential class-action lawsuit.