San Francisco-based Patelco Credit Union confirms its service outage was the result of ransomware and has pulled systems offline.

CEO Erin Mendez confirmed everyone's suspicions in one of her daily updates this week, also adding that members will be reimbursed for any late fees they may incur as a result of its service outage.

The information comes after a wave of complaints from users flooded social media, with many fearing they will be unable to pay bills at the end of the month or send financial support to loved ones.

Patelco's troubles began on Saturday - nightmare timing for security teams - and was initially only referred to as a "serious security incident."

"Our systems are currently unavailable. We are unavailable," read the company's security statement at the time.

At the time of writing, the majority of Patelco's services remain offline or at limited capacity. Online banking, online bill paying, balance inquiries, its mobile app, and more are fully offline still. Debit and credit card transactions, branch access, support services, and direct deposits are all at limited functionality.

Branches reopened on Monday to help facilitate payments for members but they're unable to look up balances, recent transactions, or the amount of money due for any given payment. Checks can be deposited but the funds won't be available until systems are back online, and cashing checks isn't an option either.

For those who have recently taken out loans with Patelco or are applying for one, there isn't much good news. Loan payments can't be made available until all of this is over, and there is no way for the bank to determine the status of a loan application.

The only services fully up and running are check and cash deposits, ATM withdrawals, external automated clearing house (ACH) transfers, ACH for bills, and in-branch loan payments.

Mendez said this week: "Unfortunately, this incident has required us to proactively shut down some of our day-to-day banking systems in order to contain and remediate the issue." 

She said members can still withdraw cash from ATM machines, although users can expect intermittent outages at Patelco ATMs.

Mendez added: "Please know that as we take steps to restore our systems, members may experience short, intermittent outages at Patelco ATMs. This is normal and to be expected during our recovery process. Access to shared ATMs will not be interrupted as part of this process and they remain available for cash withdrawals and deposits."

That's access to cash sorted, now on to paying bills - seemingly a pain point among peeved members. In this case, Patelco said the solution is to use debit cards, which may require billpayers to contact billers directly. It's an unwelcome extra step but better than going through the rigmarole of setting up a new account elsewhere and switching the direct debit as some affected members have suggested.

Patelco cards are still working for "most" transactions up to $1,000, it said, and ATM withdrawals are capped at $500 while the rebuild continues.

Per its most recent update, Patelco isn't committing to a firm date or time by which all systems will be restored.

The incident is being called a ransomware attack, but at the time of writing no established gang has claimed responsibility.

In these kinds of scenarios, we expect the miscreants behind it to have stolen some data, but Patelco has not commented on whether data has been taken, despite being so open about everything else.

With no gang claiming responsibility and the lack of clarity over any potential data theft from the credit union, our guess is that Patelco is locked in ransom negotiations with whoever is behind it.

It will doubtless be advised by law enforcement forces, with which Patelco says it's currently working, to not pay whatever ransom is demanded. However, there is still no law against paying ransoms, and according to CISA director Jen Easterley, there probably won't be due to practical reasons. ®

https://www.theregister.com//2024/07/03/patelco_ransomware_outage/