November 26, 2023. The Sunday after Thanksgiving. Most Americans were recovering from turkey dinners and Black Friday shopping. At Mountain Valley Federal Credit Union in Peru, New York, members started noticing something was wrong. They couldn’t access their accounts. The mobile app wasn’t working. ATM transactions were failing. CEO Maggie Pope knew immediately this wasn’t a simple glitch. “This is not just an MVFCU issue,” she told local news. “It is nationwide.” She was right. Approximately 60 credit unions across America had just gone dark-all at once.
Take Our 2-Minute Security Assessment
The Invisible Target
None of the 60 credit unions were directly attacked. The ransomware hit a company most of their members had never heard of: Ongoing Operations, a cloud services provider owned by a company called Trellance. Ongoing Operations provided the technology backbone for dozens of credit unions. When they went down, every credit union that depended on them went down too. The attackers knew exactly what they were doing. Instead of attacking 60 individual targets, they hit one-and took out 60 at once.
How They Got In
Security researcher Kevin Beaumont analyzed the attack and identified the entry point: CitrixBleed, a critical vulnerability in Citrix networking equipment. The vulnerability, officially designated CVE-2023-4966, had been publicly disclosed months earlier. A patch had been available since May 2023-six months before the attack. The attackers didn’t need sophisticated zero-day exploits or nation-state resources. They just needed to find an organization that hadn’t updated its systems.
The Ripple Effect
For the affected credit unions, the timing couldn’t have been worse. Members couldn’t check balances, transfer funds, or pay bills during the critical end-of-month period. Small businesses that relied on these credit unions for payroll were scrambling for alternatives. Mountain Valley Federal Credit Union, with just 4,600 members, suddenly found itself explaining to customers why a ransomware attack on a company in another state had frozen their accounts. The National Credit Union Administration, the federal agency that oversees credit unions, confirmed the scope of the attack on December 4, 2023-more than a week after it began.
The Uncomfortable Truth
Here’s what made this attack so effective: the credit unions did everything right. They chose a reputable vendor. They outsourced their technology to professionals. They trusted their provider to maintain security. But they couldn’t control what their vendor did-or didn’t do. NCUA Chairman Todd Harper had actually testified before Congress about vendor risk management just three weeks before the attack. He warned that credit unions were increasingly dependent on third-party technology providers, and that a single point of failure could affect the entire system. Three weeks later, his warning proved prophetic.
The Recovery
By December 13, 2023-seventeen days after the attack began-affected credit unions were reported to be fully operational again. But for nearly three weeks, millions of Americans had limited or no access to their money. The incident demonstrated something many organizations don’t want to think about: your security is only as good as your weakest vendor’s security.
What This Means for Your Organization
You probably don’t run a credit union. But you almost certainly depend on third-party vendors for critical business functions. Cloud services, payment processing, customer relationship management, email-the list goes on. Ask yourself: Do you know who your critical vendors are? Not just the big names, but the companies behind the companies. The vendors your vendors use. Do you know what happens if they go down? Not just an inconvenience, but completely offline. For days or weeks. Do you have any visibility into their security practices? When was the last time you asked about their patch management? Their incident response plan? Do you have alternatives? If your primary vendor disappeared tomorrow, could you continue operating?
The Lesson
The credit union attack wasn’t about credit unions being careless. It was about the interconnected nature of modern business technology. One unpatched system at one vendor can cascade into a crisis affecting millions of people. You can’t eliminate vendor risk. But you can understand it, plan for it, and make sure you’re not blindsided when something goes wrong.
Take Our 2-Minute Security Assessment
centrexIT helps San Diego organizations understand their vendor dependencies and build resilience into their technology strategy. If you’re not sure how a vendor failure would affect your business, let’s find out together.
Sources
• CNN Politics: “Ransomware attack causes outages at 60 credit unions, federal agency says” (December 4, 2023) • Cybersecurity Dive: “Dozens of credit unions confront outages linked to third-party ransomware attack” (December 4, 2023) • The Record: “60 credit unions facing outages due to ransomware attack on popular tech provider” (December 1, 2023)