Energy Capital Credit Union Breach Exposes Members' Social Security Numbers

A recent data breach at Energy Capital Credit Union has exposed sensitive personal and financial information of its members and employees. The incident was the result of a ransomware attack carried out by a group known as FOG, who claimed responsibility on the dark web on Dec. 19, 2024.

According to the disclosure to the Massachusetts Attorney General, the breach occurred between Oct. 29, 2024, and Nov. 19, 2024, and was discovered by the credit union on Nov. 19, 2024. During this period, unauthorized actors gained access to the organization’s network, compromising internal financial documents, customer and employee contacts, and insurance documents.

According to the Credit Union's data breach notice page, a detailed review determined that the exposed information included names, Social Security numbers, tax identification numbers, driver’s license or government-issued identification numbers, dates of birth, financial account information, credit and debit card numbers, health insurance information and limited medical information.

The breach affected at least 31 individuals in Massachusetts, but the full scope may be broader given the credit union’s operations in Texas and its more than 18,000 members. The FOG ransomware group posted the stolen data on a Tor network, further increasing the risk of identity theft and fraud for those affected.

Energy Capital Credit Union's response

To support those impacted, Energy Capital Credit Union is offering complimentary credit monitoring and identity theft protection services through Financial Shield Complete for individuals whose Social Security numbers may have been compromised. Impacted individuals will receive instructions and unique activation codes by mail to enroll in these services.

Given the nature of the breach and the involvement of ransomware, the credit union is advising affected individuals to take several precautionary steps:

• Enroll in the provided credit monitoring and identity theft protection service before the stated deadline
• Place a fraud alert on credit files with any of the three major credit bureaus (Equifax, Experian, TransUnion)
• Consider placing a security freeze on credit files to prevent unauthorized access
• Obtain and review free annual credit reports for suspicious activity
• Remain vigilant by monitoring financial account statements and explanation of benefits statements for irregularities

The company’s official notice provides additional guidance, including contact information for the dedicated response line and resources for reporting identity theft to the Federal Trade Commission and state attorneys general. Those with questions or concerns can reach the response line at 855-403-1511, Monday through Friday from 9 a.m. to 9 p.m. Eastern time.