DUBLIN – Four days after a ransomware attack crippled its systems, Patelco Credit Union was unable to tell its members when banking operations would return to normal.
The Dublin-based credit union has not released additional details about the security breach that has left members banned from electronic payments, deposits and transfers since last weekend.
Customers continued to wait in queues on Tuesday to use bank ATMs and were forced to visit Patelco branches across the state to withdraw cash, though they are still unable to access their statement balances or any information about their online banking.
Enrique Juarez, one of the credit union’s approximately 500,000 members, visited the Story Road branch in San Jose to inquire about his Social Security check, which has grown and is his only source of income since retiring in January. A banker told him to check with the federal agency, he said Tuesday.
“I’ve never had a problem before,” said Juarez, a San Jose resident and retired warehouse worker. “Everything is frozen, I can’t even check the balance until this is resolved – and they don’t know” when that will happen.
Ahmed Banafa, a San Jose State University lecturer and cybersecurity expert, said Tuesday that it appears hackers penetrated the bank’s internal databases via a “phishing email” and encrypted its contents, closed the bank from its own systems.
“Hackers, what they usually do, demand cryptocurrency, demand payment. That’s why it’s called ransomware,” Banafa said.
Patelco is estimated to manage more than $9 billion in assets across 37 branches nationwide. It is unclear how many of the bank’s half a million accounts were compromised and to what extent the bank’s assets were affected.
Banafa called Patelco a “soft target” for hackers, or a low-security target like schools and hospitals, compared to other higher-profile companies with more sophisticated cybersecurity defenses, such as federal government data. It’s possible the hackers are targeting either personal information of bank customers or money directly from the credit union, he said.
“This kind of information, hackers can take this information and sell it on the dark web and they can use it,” Banafa said, referring to illegal online servers that sell contraband and other illegal services.
He said it’s likely the hackers will demand some money from the credit union to get its systems back up and running, and will continue to hold the bank’s accounts hostage until the bank finds a way to bypass the hacker or until the hackers are paid. He said payment is usually requested in cryptocurrencies, such as BitCoin, and is often transferred to an offshore account outside the US.
After Patelco waited more than 24 hours to release an update about the initial attack Saturday, Banafa said “it was clear they were struggling.”
Patelco created a dedicated website on Monday to update customers on the security breach, with another message from CEO Erin Mendez. Mendez wrote that they continue to work with “third-party cybersecurity experts” to restore Patelco’s functions and that they have cooperated with law enforcement authorities.
“To our valued members – please know that if you incur a late payment fee due to this outage, rest assured that we will reimburse you for those fees. If any of our members have concerns about late payments affecting their credit score, we will write letters on your behalf. We will also waive any Patelco overdrafts, late payments or ATM fees until we are back up and running,” Mendez wrote.
And she added that “we sincerely apologize for the inconvenience our members have experienced and look forward to providing more updates in the coming days and weeks.”
Banafa said the fact that whoever executed this attack chose the start of a new month and an upcoming bank holiday to strike was also quite deliberate.
“It’s very bad timing for users and actually well-planned timing for hackers,” Banafa said. “Additions of trouble are magnified by time. . . . The people who planned this planned it when there was a lot of money.”
This left many customers scrambling to figure out how to pay their rent, mortgage and other bills.
“I don’t feel comfortable using my card, even though I can,” said Lakeisha Thomas of downtown San Jose, who added that her bills are piling up and she’s afraid her account will be overdrawn because she doesn’t know how much is in her account now. “I don’t want to be forced later.”
Jermaine Johnson, a Mountain View resident, said in an interview that he will likely transfer his savings account to another bank after first hearing Tuesday about the four-day frustration.
“It’s scary first of all,” Johnson said. “If I didn’t have the small amount of money that was there, I would be even more terrified of it. But it’s scary because you put your finances in a place you think is going to be safe and it turns out it’s not.”