Texas Dow Employees Credit Union (TDECU) experienced a data breach in which the personal information of more than 500,000 members was leaked. The breach occurred when a third-party vendor used for transferring data, MOVEit, was compromised on May 31, 2023. This breach impacted more than 20 million individuals.
TDECU states it investigated shortly after but found no evidence of a compromise. Then, on July 30, 2024, the organization discovered the loss of the files. The files in question contained information such as:
- Birth dates
- Driver’s licenses and/or government IDs
- Credit or debit card numbers
- Taxpayer identification numbers
- Financial account numbers
- Social Security numbers
Security leaders weigh in
Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:
“The MOVEit managed file transfer (MFT) software vulnerability (CVE-2023-34362) continues to be discussed in the news due to widespread exploitation and the depth of exploitation. Groups including the infamous Cl0p ransomware group quickly took advantage of this zero-day opportunity to exploit targets of interest for high-payouts. In the case of ransomware, involving double-extortion tactics, techniques and procedures (TTPs), it is common for a wealth of data to be stolen to force payout. Ransomware continues to be one of the most common and also highest impact threats facing every organization in 2024.
“While we may tire from hearing about MOVEit updates in the news, it is critical to apply lessons learned to each organization — what can an organization do to proactively move to the “left of boom” to avoid exploitation, rapidly identify and remediate threats if an incident occurs, and best manage a disaster should one occur? Readiness is more than planning on paper, it requires regular testing, demonstrating TTPs and defensive measures, testing for operational excellence and gaps. It also requires running drills — blackbox, graybox and whitebox — to continually prepare and adjust to dynamic global threatscape risks to an organization.”
Darren Guccione, CEO and Co-Founder at Keeper Security:
“The sheer scope of the MOVEit breach is concerning, but what’s even more alarming is that the breach at Texas Dow Employees Credit Union (TDECU) went undetected for more than a year. This significant delay not only underscores the need for continuous monitoring and robust cybersecurity practices but also has severe implications for victims. The extended exposure of sensitive personal information — while victims remained unaware — significantly raises the risk of identity theft and financial fraud.
“The fact that TDECU’s breach remained undetected for so long highlights the critical importance of rigorous and continuous patch management. Multiple patches were released following the MOVEit breach, and with any breach of this scope, it is imperative that they be applied promptly. However, applying patches is just one part of the solution — systems must also be continuously monitored for any signs of unusual activity.”
“The MOVEit breach must remain top of mind for all security teams in the near future and should serve as a stark reminder of the importance of cybersecurity investment and prioritization. The extensive impact and the prolonged detection issues at TDECU highlight the need for ongoing attention to known vulnerabilities. Securing data transfers, particularly with third-party vendors, is vital, but so are strong internal security measures.
“To enhance long-term data protection, security teams should adopt a zero-trust architecture and implement comprehensive monitoring and detection capabilities. Limiting data collection to only essential information and enforcing strict access controls can reduce exposure and the likelihood of a breach. Additionally, a Privileged Access Management (PAM) platform can further safeguard against breaches (and reduce impact if they do happen) by closely monitoring privileged accounts, enforcing fine-grained authentication and preventing lateral movement within the network.”
Adam Gavish, Co-Founder and CEO at DoControl:
“The TDECU notification is yet another reminder of the far-reaching impact of the MOVEit breach. We’re likely to see these ripple effects continue for months, if not years. This long tail has two critical aspects we need to consider.
“First, there’s the ongoing vulnerability. Despite widespread awareness, we’re still seeing organizations slowly patching their MOVEit deployments. This creates a persistent risk, as attackers continue to probe for unpatched systems. Security teams need to prioritize identifying and patching any remaining vulnerable MOVEit instances immediately.
“Second, and perhaps more concerning, is the potential for delayed data leaks. Many organizations may not even realize their MOVEit deployment was compromised. This stolen data could surface on dark web forums or be used in targeted attacks months or even years down the line. It's a ticking time bomb of potential breaches.
“The security of your data doesn’t end at your network perimeter. Companies need to conduct thorough audits of what data they’ve been transferring through MOVEit or similar file transfer services. Understanding what sensitive information might have been exposed is crucial for risk assessment and mitigation.
“Moving forward, security teams need to prioritize comprehensive visibility and control over their entire SaaS ecosystem. This includes not just the apps they directly use, but also the interconnected web of third-party services and data transfers. But it’s not just about tools. This incident highlights the need for a shift in mindset. Security teams need to operate under the assumption that breaches will happen, and focus on minimizing the potential impact. This means implementing strict data access controls, enforcing the principle of least privilege and continuously monitoring for unusual data movement or access patterns.
“The long tail of the MOVEit breach serves as a stark reminder: in today’s interconnected digital landscape, your security is only as strong as your weakest link. It’s time for a more proactive, data-centric approach to security that keeps pace with the realities of modern SaaS adoption and third-party data handling.”