Cybersecurity Expert Shares Tips for Dublin-Based Patelco Credit Union Customers After Ransomware Attack

One of the largest credit unions in the Bay Area and nationwide has been trying to restore its systems, after a ransomware attack first reported Saturday.

The Patelco Credit Union, which is based in Dublin and serves half a million members, has shut down some day-to-day banking services, namely electronic transactions, like Zelle, direct deposit, balance inquiries, and payments.

According to the latest update posted Tuesday on its site: “Please know that any incoming direct deposit(s) will be credited to your account and processed before any withdrawals (e.g., checks, cash withdrawals). Currently, you can access the funds from your direct deposit by writing a check, using an ATM card to get cash or make a purchase.”

Customers can still make cash withdrawals at ATMs. Dwight Moore, who’s been banking with Patelco for 25 years, said he was able to get cash on Monday, but he couldn’t see his balance.

“It does make me worry,” he said. “Patelco has been good since I’ve been banking with them, so this is shocking.”

Patelco has sought help from a third-party cybersecurity firm to investigate the data breach. How many union members were affected and how long it would take before systems are fully restored is unclear.

“When I talked to people on the phone, because I called their customer service line, they weren’t able to give me any sort of information regarding what my balance was,” said Alex Ellis, who’s banked with Patelco for years.

Ellis, who lives in Oregon with her husband, said her grandfather opened an account for her when she was a kid. But the stress she has experienced over the past few days could lead her to leave Patelco altogether, as the attack took place just before the beginning of the month when payments like rent are typically due.

“We are very fortunate that our landlords seem to be working with us and [are] understanding of the situation,” she said. “I’m very interested to kind of see how they finish handling stuff, because it will definitely help determine what I end up deciding to do in the future.”

Ransomware attacks typically target institutions — like schools, health care systems and local governments (like the City of Oakland) — where large tranches of personal information are stored — or hackers presume the victim is willing to spend a lot of money to get the institution up and running again quickly.

Even KQED was hacked in 2018.

Ransomware incidents have been on the rise. In 2023, they went up by 68 percent, according to the ThreatDown State of Malware report published by Malwarebytes, a cybersecurity company based in Santa Clara.

Davis Hake, a San Francisco-based senior director of cybersecurity services at the Venable law firm and an adjunct professor in cyber risk management at UC Berkeley, is a leading author of early cybersecurity legislation in Congress. He shared his insights on the Patelco case with Rachael Myrow, senior editor of KQED’s Silicon Valley news desk.

Here’s an excerpt of their conversation, edited for clarity:

RACHAEL MYROW: Tell us more about ransomware attacks. How do they work exactly?

DAVIS HAKE: Adversaries will start with a phishing attack, which is an impersonation, to try and get someone through email to click on a link, which gives them access to the account. The adversaries then work through low-level attacks to escalate their ability to get closer and closer to critical parts of a business. And then, once they’re there, they’ll deploy malware, which locks down a system.

It’s a type of attack that locks down critical parts of a business. And what attackers were really trying to do here is they’re trying to put pressure on the business to pay an extortion in order to restore services. Unfortunately, we’ve seen these types of attacks become more popular among criminals. Folks may remember the “NotPetya” ransomware attacks of 2017. After that time period, these types of attacks started growing in success. And over the pandemic, when we saw a shift to work from home, as well as major disruptions to health care systems, these attacks really took off and have been a major issue since.

Financial institutions know they’re big targets for hackers. So, what processes do they have in place to prevent these attacks?

Security controls, such as multi-factor authentication, can help limit the adversary getting access to larger accounts. Having backups in place is critical, obviously, so you can restore without paying an extortion.

But a larger issue for ransomware victims is social pressure that extortionists put on the victim. Like in this case [of Patelco], there’s enormous social pressure to fix it. [That’s] what will oftentimes drive payment and extortion, which we always want to try and avoid. So, in this case, working on developing an incident response plan ahead of time and then following that plan ensures that you have business processes in place to account for disruptions.

What do we know, if anything, about the ransomware attack that hit Patelco?

I don’t know the specifics of this case other than what’s been reported publicly. But for any individual, they should treat this just like a data breach. It’s critical to look into things like changing your passwords, which is always a good idea. Looking at other bank accounts, being alert for fraud that may be associated with the email that you use for banking, and then also to think about how this may impact your ability, if you’re a small business, to pay your vendors or your employees. Plan ahead for what this disruption might mean to your business.

When the city of Oakland was hit last year, it took a long time for some services to come back. But I know that they prioritized critical services coming in first. So, you know, general cyber hygiene is what you can take advantage of for your own self.

How can the rest of us prepare ourselves to avoid or limit the damage from future attacks of this nature? Should we also be thinking in terms of distributed banking, making sure that we don’t pay everything from the same account?

Certainly. So, thinking through; what is your own backup plan? How can you ensure resiliency to your services? This is actually what we teach folks experiencing ransomware incidents. The idea is to make sure that your business, and the critical functions of that business can keep on operating, even when disrupted. And [that’s] even in a case where it may take weeks for services to come back online.

KQED’s Caroline Smith contributed to this report.