- Connex Credit Union confirm suffering major data breach
- Customer data stolen, and the attackers have not been identified
- Users are warned to be wary of suspicious incoming emails
Financial cooperative Connex Credit Union has revealed it suffered a cyberattack in which it lost sensitive data on around 172,000 customers.
The company confirmed the news in a new filing with the Office of the Maine Attorney General, as well as via data breach notification letters it sent to affected individuals.
In the letter, the company said it experienced “unusual activity” on its network on June 3, 2025, and after an investigation concluded that an unauthorized third party stole sensitive files the day before. After almost a month of investigating, Connex determined that the threat actors stole people’s names, account numbers, debit card information, Social Security numbers (SSN), and other government identification information needed to open an individual’s account with the company.
Shifting strategies
“Connex has no reason to believe the incident involved unauthorized access to member accounts or funds,” it was said in the letter.
The letter then goes on to say the usual – that the company is further strengthening its cybersecurity posture, and that it is offering 12 months of free credit and identity theft protection services. It picked Cyberscout as the service provider in this case.
Connex Credit Union is a well-established, member-owned financial cooperative based in Connecticut. It is one of the largest credit unions in Connecticut, with more than 70,000 members and over $1 billion in assets.
At the same time, a San Francisco law firm – Schubert Jonckheer & Kolbe, is said to be investigating this data breach under the suspicion the company took too long to notify its customers of the incident.
In a press release, the law firm said the breach occurred in June 2025, but Connex “did not begin notifying affected individuals until or around August 7, 2025, which may have violated state and federal laws.”
In the State of Connecticut, the deadline for notification is “without reasonable delay, but no later than 60 days after discovery of the breach”. That is, unless shorter time is required by federal law.
How to stay safe
There are numerous ways cybercriminals can abuse the stolen files.
They can create accounts with different financial and government institutions, running wire fraud and tax evasion schemes.
They can also engage in spear-phishing attacks to deploy malware, or even ransomware, against the victims.
To stay safe, users should be careful when opening unsolicited communications, and should keep a close eye on their bank statements.
Via BleepingComputer
