TDECU data breach affects half a million people

The Texas Dow Employees Credit Union (TDECU) has filed a data breach notification, reporting that the data of 500,474 people has been accessed in an external system breach.

TDECU is the largest Houston-area credit union, and the fourth largest in the state of Texas. The credit union was founded by employees of Dow Chemical Company in December 1954 and membership was initially limited to Dow and Ethyl-Dow employees. Since then it has gone through several mergers and acquisitions

According to the data breach notification, the breach occurred on May 29, 2023, but wasn’t discovered until July 30, 2024.

TDECU has sent personal notifications to those individuals it suspects might have been affected. In this notification and on its website, TDECU explained that the incident was related to the MOVEit vulnerability that impacted many other organizations last year. Due to the attacks that used this vulnerability, over 20 million individuals were impacted, says TDECU. The vulnerability also allowed the attackers to view or take certain TDECU data.

“There was no compromise of TDECU’s broader network security.”

After learning of the vulnerability, TDECU launched an investigation and found that certain files containing personal information of TDECU members were potentially stolen from MOVEit by cybercriminals between May 29 and 31, 2023.

Affected individuals are being offered complimentary access to identity monitoring for 12 months.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

https://blog.malwarebytes.com/feed/