3 Million Records from Thousands of Credit Unions Exposed

Jeremiah Fowler February 13, 2024

February 13, 2024

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained three million records, which included over a million email addresses, account details, passwords, and more relating to thousands of credit unions across the United States.

The publicly exposed database contained a total of 3,125,660 records with an estimated size of 13 GB. Upon further research, it appeared that the records inside the database belonged to a company named CU SOLUTIONS GROUP, INC (CUSG). I immediately sent a responsible disclosure notice, and received a reply saying that they would review my findings and investigate the matter. The database was secured from public access the same day. A representative later told me they would be checking with a third-party vendor, but I never received any update on this. Although the information in the database seemed to belong to CUSG, it was never confirmed who was ultimately responsible for managing the system.

The database appeared to be a cloud storage repository for a Customer Relationship Management (CRM) system. Businesses and organizations use CRM software to manage interactions with current and potential clients or customers. It is an essential tool for organizations to streamline communication, to improve customer service, and to centralize customer and employee information. The CRM database usually contains sensitive information needed to conduct daily business activities. This can include internal communications, customer contact details, purchase or service history, and much more.

According to their website, CUSG offers web services, media and creative services, and various products such as Save To Win, Love My Credit Union Rewards, MemberXP, Performance Pro, and Compease. CUSG provides technology and marketing service products to 3,400 financial credit unions in 48 states. According to the company’s LinkedIn profile, “The company is majority-owned by the Michigan Credit Union League and has more than 100 investors comprised of credit unions, credit union leagues and credit union system organizations”.

I was able to see a folder containing 1.1 million email communications. Another folder (labeled “contacts”) contained 73k records that included names, email and physical addresses, internal notes, and the clients’ passwords in plain text. The database also held a folder named “notes”, which contained 1.4 million entries made by employees, and another folder named “meetings” that contained 22k records. In a limited sample of the latter, I saw detailed meeting notes regarding each interaction employees had with customers. These notes could include sensitive information about internal business needs, budgets, or risks of individual credit unions.

This screenshot shows how the accounts appeared listed as contacts. The files also contained user emails, organizational roles, and passwords in plain text.

This screenshot shows a file from the “calls” folder, indicating what may possibly be years of communications. It details what services or vendors the specific credit union is using, who are authorized individuals, and more.

This screenshot shows a file from the “notes” folder that specifies email server communications, pathways, and IP addresses.

This screenshot shows how the records were divided and stored in the publicly exposed CRM database.

❮❯

Credit unions and banks are different in their ownership structure, customer base, and how they operate. Banks are typically for-profit institutions owned by shareholders and serve the general public without specific membership requirements. Credit unions, on the other hand, work as cooperatives owned by their members, who have direct control over the credit union’s decisions and have an elected board of directors. Credit unions often focus on serving the specific financial needs of their members, striving to provide competitive rates on loans, set higher interest rates on savings, and take a more personalized or local approach than corporate banking institutions. According to the National Credit Union Administration (NCUA), the Federal agency that governs credit unions, there were 135.3 million people who banked with credit unions in 2022, and they have $2.17 trillion in assets.

Potential risks of the exposure

In 2022, the average cost of a data breach in the financial industry was nearly six million USD, second only to the healthcare sector, which was nearly 11 million USD. With financial gain being the goal of most cybercrimes, it is clear to see why financial institutions and their customers could be a serious potential target. Overall, in the United States, consumers reported losing a cumulative $8.8 billion to fraudulent scams in 2022 — a 30% increase from the previous year, according to the Federal Trade Commission (FTC). Any data breach involving a technology service provider for credit unions could potentially pose significant risks to both the financial institutions and their members.

Although I didn’t see individual customer records of credit union members in the exposed database, I did see contacts, communications, and other related data of board members and the leadership of a large number of credit unions. It is unknown if anyone else accessed these exposed records. In the dubious world of cyber crime, exposed internal data could be a stepping stone to try and identify a vulnerability or backdoor into the network of a financial institution. Exposed passwords could hypothetically allow unauthorized access to the accounts and any documents or information stored there. The potential risks of a massive number of email addresses being publicly exposed include a low-tech phishing campaign, distribution of malware, or simple spam emails.

Exposed email server communications, pathways, and IP addresses can hypothetically pose even more serious risks and various cybersecurity threats or vulnerabilities. If the email server communication channels are unencrypted or inadequately protected, technical attackers could potentially intercept data and other sensitive information. Exposed email server configurations or outdated software may become vulnerable and increase the likelihood of potential data interception by unauthorized cybercriminals. When IP addresses associated with email servers are publicly exposed, they could potentially enable cybercriminals to spoof or impersonate legitimate servers, allowing them to send fraudulent emails that appear to come from trusted sources. This tactic (known as “IP spoofing”) can be used in a wide range of malicious activities. I am not saying or implying that CUSG or their clients are at imminent risk of this type of attack. I am only providing a hypothetical real-world scenario of the potential risks of a public exposure of internal email server data.

Any data breach or unauthorized access of a CRM system can have serious potential security risks for the organization or their clients. Organizations and financial institutions that collect and store potentially sensitive data in a CRM system should implement multiple layers of security measures to safeguard their data. I highly recommend:

Updating the CRM software to the latest version as it becomes available. The latest software version can include things such as security patches and fixed known vulnerabilities.
Having strong access controls and role-based permissions. It is important to ensure that only authorized personnel can access sensitive data within the CRM and any other database where records are stored.
Encrypting data is also a good way to get an additional layer of protection. If encrypted data is exposed, it is far less likely to be decrypted and used for nefarious purposes.
Doing regular security audits and penetration testing. This can help an organization identify exposed data or potential vulnerabilities (including human errors).

These are just the basic steps that businesses should take to secure and protect their internal data and systems. My goal is to raise awareness of the evolving nature of cybersecurity threats and the need to implement proactive measures to safeguard potentially sensitive information.

As an ethical security researcher, I never download or extract the publicly exposed data that I discover. I do however review a limited sample of documents for verification and validation purposes. My intention is to highlight cybersecurity best practices and identify potential risks associated with data incidents. It’s important to note that in my findings and reporting, I do not not imply any wrongdoing, negligence, or imminent risk to CU SOLUTIONS GROUP, INC (CUSG) their CRM provider or their customers. Although these records belonged to CUSG they never clarified if they managed the database. I also emphasize that there is no evidence to suggest that the data was ever at risk or exploited for fraudulent purposes. It is unknown how long the database was exposed or if it was accessed by anyone else. Only an internal forensic audit would be able to conclusively identify any additional access or suspicious activity.