Message from CEO James Gergen
I apologize for any inconvenience you suffered late last week as we moved to offline processing in our branches Friday afternoon and all-day Saturday and closed our Contact Center at the same time. As owners of the credit union, you deserve an explanation. We were one of many of the victims of the Kaseya cyberattack which made international news. Kaseya is a firm which provides remote management software to managed service providers (MSPs). Their Kaseya VSA tool is designed to help MSPs serve their client companies by enabling the MSP to provide secure and efficient remote support for managed software. In this case the VSA tool was compromised and instead of helping operate systems securely it actually delivered sophisticated malware. We rely on an MSP to help support our phone system and since they use the VSA tool the result was malware was delivered to the servers running our phone system on Friday. This was a new and sophisticated attack which had a good chance to avoid detection and succeed. For the attackers, success meant encrypting clients’ data enabling them to shut down clients’ operations and extort a ransom from each client.
While our service suffered last week, and our phone support may suffer this week, we succeeded against the attack in the most important ways:
- Our core data (member data, deposits, loans, etc.) was never at risk. The attack was on our phone servers and the operating system they use is entirely different from the operating system of our core.
- Our digital banking was never at risk and continued to work. Digital banking runs on an entirely different system and it remained up even after we shut down all systems at risk.
- Our debit cards and credit cards were never at risk and continued to work.;Our cards run on entirely different systems.
- Every indication to date is that no CPM data was accessed or stolen. We looked extensively at our system logs and all of our research is consistent with reports from knowledgeable authorities that this attack was not designed to steal data but to quickly encrypt data and hold it for ransom.
- No data was encrypted. We will be able to restore all operations without having to pay a ransom.
We are pleased to have avoided the fate of the hundreds (thousands?) of companies which had their data encrypted. Part of the story is that we shut down our own systems to protect them. We will review with our Board and Supervisory Committee the full story and all that worked in our favor as well as what lessons we can learn from this attack. We engaged a forensics audit of the attack which will ensure we completely understand any lessons this event holds for us.
Right now, we are busy restoring our systems safely. We were prepared for this task in some very important ways.
- We keep backups of our servers. Those were not affected and have been very important as we restore operations.
- We capture detailed system logs. Our IT staff worked extraordinarily long hours over the weekend reviewing these logs. We can see details of what happened.
- We have a very able and dedicated IT staff and we work with IT specialty firms which assist us at a time like this. Two specialty firms aided us in our long hours over the holiday weekend by reviewing system logs and helping us plot our path to restoring our systems.
Most of the work to restore our non-phone systems has already been completed. Our staff will be coming in early on Tuesday to process your transactions from Friday and Saturday, and we are on track to be able to serve you as normal in our branches on Tuesday morning.
Our phone system will probably be the last system we restore, and we may have to operate without our normal phone system for several business days. Please watch our website or social media for the latest developments.
Our Board, Federal regulator, and other Federal authorities have been informed we were attacked, and we will cooperate with them in every way possible.
I am grateful to the front-line and back-office staff at CPM which ably served you despite lack of system support, and I am humbled by the efforts of our IT team and IT partners for the long hours they put in and the skill they demonstrated as they spent the holiday weekend working to understand the attack and recover and restore our systems. While our service was hampered late last week, I have never been prouder of our staff.
Thanks for your patience and understanding.
CPM Federal Credit Union