Credit Unions Are in the Crosshairs: What the 2024–2026 Breach Wave Is Teaching Us

Patelco, MemberSource, Marquis, Ongoing Operations. The last 24 months show credit unions are being hit through their vendors as often as their own networks. Here is what credit union boards, CIOs, and risk officers should do this quarter.

The headline insight

Credit unions are now one of the most-targeted segments of U.S. financial services, and the attack pattern has shifted. The largest losses in the last two years did not come from credit unions being directly compromised. They came from third-party fintech, marketing, and disaster-recovery providers that hold member data on the credit union’s behalf. From May 1, 2024 through April 30, 2025, credit unions reported 539 cyber incidents to the National Credit Union Administration — roughly four every business day — covering ATM jackpotting, business email compromise, phishing, ransomware, and third-party service provider events (NCUA 2025 Cybersecurity and Credit Union System Resilience Report). Members do not draw a distinction between a credit union and its vendors. Regulators no longer do either.

Why it matters now

Three things have changed at the same time:

Attackers have monetized the supply chain. A single intrusion at a shared fintech provider produces hundreds of downstream notification events, each with its own legal, regulatory, and member-trust cost.
NCUA’s 72-hour cyber incident reporting rule is in full effect. Federally insured credit unions must notify NCUA within 72 hours of forming a reasonable belief that a reportable incident has occurred — including when a third party tells them their data was affected (NCUA Cyber Incident Notification Requirements). In the first month the rule was active, NCUA received 146 reports, roughly the volume it previously saw in an entire year (Cybersecurity Dive).
The FBI’s IC3 reported $16.6 billion in cybercrime losses in 2024, a new record, with cyber-enabled fraud responsible for roughly 83 percent of total losses — $13.7 billion (FBI IC3 2024 Annual Report; Nacha). Most of that fraud touches a deposit account somewhere. For community financial institutions, that “somewhere” is increasingly your members.

What changed: four incidents that define the current threat model

Patelco Credit Union — 726,000 members, ransomware, six-week dwell time

On June 29, 2024, Patelco — a $9B Northern California credit union — detected a ransomware intrusion that had been inside its environment since May 23, more than five weeks earlier. The attackers exfiltrated databases containing names, Social Security numbers, driver’s license numbers, dates of birth, and email addresses. Patelco initially estimated around 500,000 members affected; in its filing to the Maine Attorney General the figure rose to 726,000 customers and employees. The RansomHub group later listed Patelco on its leak site and auctioned the data after negotiations failed (SecurityWeek; California DFPI alert). The lesson is not that Patelco missed the initial intrusion. The lesson is that an attacker lived in the environment for six weeks without triggering a high-fidelity detection or response.

MemberSource Credit Union — 22,308 Texans, SafePay ransomware, 50 GB exfiltrated

On June 3, 2025, MemberSource Credit Union in Houston detected disruptions across branch networks. Investigation confirmed unauthorized exfiltration of names, Social Security numbers, driver’s license/state ID numbers, and financial account information. Two weeks later, the SafePay ransomware group claimed 50 GB of MemberSource data on its dark-web leak site. Notification to state attorneys general did not begin until May 8, 2026 — nearly eleven months after the intrusion (ClaimDepot; ClassAction.org). Even with a 72-hour regulator-notification rule, member-notification timelines remain measured in months once forensic review begins.

Marquis Software — 672,000 individuals, 74 banks and credit unions, one SonicWall zero-day

On August 14, 2025, attackers exploited a SonicWall zero-day to breach Texas-based fintech Marquis, which provides marketing, analytics, and compliance services to more than 700 banks, credit unions, and mortgage lenders. Marquis disclosed in December 2025 filings that 672,075 individuals had personal data stolen — names, dates of birth, addresses, phone numbers, Social Security numbers, taxpayer IDs, and financial account information — and that 74 financial institutions were downstream (BleepingComputer; TechCrunch). Minnesota’s Blaze Credit Union alone reported 253,000 affected members from the Marquis incident (Twin Cities Business). Marquis’s network was the attack surface. Every downstream credit union owned the regulatory and reputational consequence.

Ongoing Operations / Trellance — 60 credit unions offline in a single weekend

On November 26, 2023, Ongoing Operations — a Trellance subsidiary that delivers disaster recovery and cloud services to credit unions — was hit with ransomware reportedly via the Citrix Bleed vulnerability (CVE-2023-4966). Roughly 60 credit unions experienced operational outages, some lasting days (Bitdefender; Cybersecurity Dive). This is the canonical credit union supply-chain event. The provider that exists to keep you online became the reason you were offline.

A pattern emerges across all four:

Initial access via a perimeter or identity weakness — unpatched firewall (Marquis/SonicWall), unpatched gateway (Ongoing Operations/Citrix Bleed), credential or session compromise (Patelco’s pre-disclosure dwell strongly suggests this).
Long dwell time before detection — weeks at Patelco, indeterminate at Marquis, weeks at MemberSource before ransomware was the visible symptom.
Data exfiltration before encryption or destruction — the leverage now is the leak site, not the locked file. RansomHub and SafePay both auctioned data when ransom negotiations failed.
Notification debt — the gap between intrusion, member notification, and regulator notification keeps stretching, even with NCUA’s 72-hour rule in force.

The pressures stacking on top of the breach wave

Account takeover and check fraud are accelerating. TruStage issued a corporate check fraud risk alert in July 2025 reporting an industry-wide surge in counterfeit and altered checks against credit union member accounts (MD|DC Credit Union Association). Social-engineering account takeovers — including session-token theft after the member completes 2FA — are a top loss pattern in TruStage’s 2025 emerging risk overview (TruStage Emerging Risks 2025).

Business email compromise is now a $55 billion problem. The FBI’s IC3 has tracked $55.49 billion in domestic and international BEC losses through 2023, with attackers increasingly routing stolen funds through custodial accounts at financial institutions and crypto exchanges (FBI IC3 BEC PSA, September 2024). Credit unions sit in two roles at once: the institution defending its own staff, and the institution receiving fraudulent wire and ACH credits.

The regulator’s posture is hardening. NCUA’s 2025 Supervisory Priorities make cybersecurity a top supervisory priority for the third consecutive year, direct boards to treat cybersecurity as a “top oversight and governance responsibility,” and explicitly tell examiners to assess vendor due diligence (NCUA 2025 Supervisory Priorities). The Information Security Examination program now scales with each credit union’s risk profile, but the questions are the same at every asset tier: do you know what your vendors hold, do you detect intrusions in hours rather than weeks, and can you prove your board is engaged.

What credit union leaders should do this quarter

Five priorities, ordered by the leverage they produce per dollar spent.

Build a third-party incident playbook before you need it. For every vendor that holds member PII, processes payments, or maintains uptime for member-facing services, document: who at the vendor calls you, how fast, with what evidence, and how that triggers your NCUA 72-hour clock. Run a tabletop on a “vendor told us at 4:50 p.m. on Friday” scenario. The Marquis and Ongoing Operations incidents both showed that downstream credit unions were caught flat-footed by notifications they had no playbook for.
Get to 24/7 monitored detection and response — not 24/7 alerting. Patelco’s six-week dwell time and MemberSource’s months-long forensic timeline are detection failures, not prevention failures. A community-asset credit union does not need to build a SOC. It needs an analyst on the keyboard at 2 a.m. on a Saturday when the ransomware operator is staging exfiltration. That is a buy decision, not a build decision, for the vast majority of credit unions under $5B.
Treat identity as the new perimeter. Session-token theft, MFA fatigue, and help-desk social engineering are the dominant initial-access vectors against financial services in 2025. Phishing-resistant MFA (FIDO2 / WebAuthn) for privileged users, conditional access tied to device posture, and a help-desk verification standard that does not collapse under a confident caller are the three controls auditors and adversaries both probe first.
Patch the perimeter your vendors built. SonicWall at Marquis. Citrix at Ongoing Operations. The current intrusion sets do not need novel exploits. They need an internet-facing appliance that is one CVE behind. Inventory every internet-facing system you or your vendors operate, map it to CISA’s Known Exploited Vulnerabilities catalog, and treat KEV-listed flaws as 14-day fixes — not quarterly hygiene.
Brief the board with the incidents, not the maturity score. NCUA Letter 24-CU-02 makes directors personally accountable for cyber oversight. Walk them through Patelco and Marquis as case studies of what 24-hour, 72-hour, and 30-day decisions actually look like. A board that has practiced the call will make better choices when it is real.

Metrics that actually predict outcomes

Track these monthly at the management level and quarterly at the board level:

Mean time to detect (MTTD) for in-environment intrusions. Target: hours, not weeks.
Mean time to contain (MTTC) after detection. Target: under 24 hours for credential and endpoint events.
Percentage of critical vendors with executed cyber incident notification SLAs in their master service agreements.
Phishing-resistant MFA coverage for privileged users (admins, wire approvers, help-desk staff). Target: 100 percent.
KEV-listed vulnerabilities open on internet-facing assets — yours and your hosted/managed vendor footprint where contractually visible. Target: zero open beyond 14 days.

Open questions we are watching

Whether NCUA moves from the 72-hour notification regime to a more prescriptive minimum-controls rule, similar to the New York DFS Part 500 amendments.
Whether ransomware groups continue the shift from encryption to exfiltration-only extortion, which changes recovery economics and forces a different detection emphasis (DLP and egress monitoring over backup integrity).
Whether shared-services providers consolidate enough that a single vendor compromise can knock out a meaningful share of the U.S. credit union system at once — the systemic-risk question NCUA flagged in its 2025 resilience report.

How Cyberuptive helps

Cyberuptive runs a US-based, 24x7 security operations center and operates to CMMC Level 2 control practices. We were built for organizations that cannot tolerate a six-week dwell time and do not have the headcount to staff a follow-the-sun SOC in house. For credit unions specifically, that means:

24/7 human analysts watching your environment and your critical vendors’ indicators, not just an alert queue.
An incident playbook aligned to NCUA’s 72-hour notification clock — drafted, tabletop-tested, and run by analysts who do it for a living.
Third-party risk monitoring that watches for your vendors on dark-web leak sites, not just on questionnaires.
Board-ready reporting that maps controls to NCUA’s Information Security Examination program and the NIST CSF 2.0.

If you are a credit union CEO, CIO, CISO, or board member and you read this and thought “we would not detect a Patelco-style intrusion in our environment today,” that is the conversation we want to have. Email info@cyberuptive.com or book a 30-minute working session at cyberuptive.com/contact. We will bring a one-page assessment of your detection posture against the four incidents above — no pitch deck required.

References

Cyberuptive runs a 24/7 follow-the-sun SOC staffed by U.S.-based analysts, headquartered in Honolulu and serving customers across Asia-Pacific and the U.S. mainland. We help credit unions, mid-market organizations, and Pacific defense subcontractors close the detection and third-party gaps adversaries are looking for.

Talk to us about a no-obligation credit union detection-posture review, or read our SOC-as-a-Service overview and Managed Detection and Response overview.

Frequently asked

Common questions about credit union cybersecurity and the 2024–2026 breach wave

What are the biggest cybersecurity threats facing credit unions in 2026?

The 2024–2026 breach wave against U.S. credit unions has crystallized around four reinforcing threats: third-party and vendor supply-chain compromise (Marquis, Ongoing Operations, MemberSource), where the credit union itself is technically secure but a fintech, marketing, disaster-recovery, or core-processing vendor holding member data is breached; ransomware with data exfiltration (Patelco, MemberSource, RansomHub, SafePay) where the leverage is the leak site rather than the locked file; business email compromise and account takeover at $55.49 billion in cumulative IC3-reported losses, increasingly using session-token theft to bypass MFA; and check fraud surge (TruStage corporate check fraud risk alert, July 2025) targeting member accounts through counterfeit and altered checks. The common denominator across all four is that mature prevention is no longer sufficient — detection and incident response speed are the controls that materially separate the credit unions that recover well from those that don't.

What does NCUA's 72-hour cyber incident notification rule actually require?

Under 12 CFR Part 748 Appendix B (effective September 1, 2023), federally insured credit unions must notify the NCUA within 72 hours of forming a "reasonable belief" that a reportable cyber incident has occurred. The threshold includes incidents at third-party service providers — meaning a credit union that learns its core processor, fintech partner, marketing analytics vendor, or DR provider was breached has the same 72-hour clock starting the moment the vendor notification arrives. In the first month the rule was active, NCUA received 146 reports — roughly the volume previously seen in an entire year. The practical implication is that every critical vendor relationship now needs a documented incident notification SLA, a tested out-of-band notification channel, and a tabletop-rehearsed response playbook for the "vendor told us at 4:50 PM on Friday" scenario.

How long does the average credit union take to detect a ransomware intrusion?

The headline data points from the 2024–2026 wave are sobering: Patelco's intrusion had a six-week dwell time before detection (intrusion May 23, 2024; detection June 29, 2024). MemberSource's June 2025 intrusion did not surface in member notifications until May 2026 — an eleven-month forensic and notification timeline. Industry IBM benchmarks for the financial sector show mean-time-to-detect (MTTD) for ransomware at approximately 200+ days for organizations without a dedicated 24/7 SOC; organizations with a managed SOC typically reduce MTTD to days or hours. The single largest factor separating credit unions that recover from those that don't is whether someone is on the keyboard at 2 AM Saturday when the ransomware operator is staging exfiltration. See our Managed Detection and Response (MDR) and SOC-as-a-Service pages for the operational model.

Are credit unions required to have a 24/7 SOC?

There is no NCUA rule explicitly requiring a 24/7 Security Operations Center, but the regulatory direction strongly implies it. NCUA's 2025 Supervisory Priorities name cybersecurity a top supervisory priority for the third consecutive year and direct boards to treat cybersecurity as a "top oversight and governance responsibility." NCUA's Information Security Examination (ISE) program assesses continuous monitoring, incident response, and third-party oversight against the credit union's risk profile and asset size. The practical answer for most credit unions under $5B in assets is that building an internal 24/7 SOC is economically prohibitive (8–12+ dedicated analysts, $2M–$4M annually fully loaded), but operating without 24/7 monitored detection-and-response coverage creates the kind of multi-week dwell time that the Patelco and MemberSource incidents illustrate. The dominant economic answer is a managed SOC or MDR partnership with explicit NCUA-aligned incident playbooks.

What controls should credit unions implement to defend against the Marquis-style supply-chain attack?

The Marquis fintech compromise exposed 672,075 individuals across 74 downstream banks and credit unions through a single SonicWall zero-day exploitation. Five concrete controls reduce the blast radius of that pattern: (1) contractual incident notification SLAs with every critical vendor — 24 hours or less to credit union notification, with a defined out-of-band channel; (2) continuous vulnerability scanning of vendor-attributed assets where contractually visible, mapped to CISA's Known Exploited Vulnerabilities (KEV) catalog (see our Vulnerability Management service); (3) data minimization with vendors — share only what the vendor demonstrably needs, encrypted at rest and in transit, with documented retention limits; (4) dark-web and breach-site monitoring for vendor names appearing on ransomware leak sites before the vendor notifies you; (5) tested third-party incident playbooks tied to NCUA's 72-hour clock. See our MDR and Patch Management services for the operational backbone, and the Managed SOC cost 2026 buyer's guide for sizing.