Agency assures no credit union data compromised in phishing attack

No data was compromised during a recent “spear phishing” campaign targeted at Bank Secrecy Act officers at credit unions, the federal credit union regulator said in a statement Friday.

In a brief press release, the National Credit Union Administration (NCUA) said that, upon learning of the phishing attack, the agency “conducted comprehensive review of its security logs and alerts.” The completed review, the agency said, “did not find any indication that information was compromised” and that “the most recent information available indicates the campaign extends beyond credit unions to other parts of the financial sector.”

The agency release was in regard to a phishing scam targeting BSA compliance officers at credit unions and other financial institutions, reported Friday by data security watchdog Krebs On Security. According to the article, attacks on credit unions were the only ones first reported, but later reporting said the attacks targeted bank BSA compliance officers as well.

The credit union regulator said that it “makes protection of sensitive data a top priority, and the agency uses a defense-in-depth approach to monitoring and shielding its systems and information.

“The NCUA encourages all credit union staff to be wary of suspicious emails, and credit unions may report suspicious activity to the agency,” NCUA stated in its release.

According to Krebs, the attacks first surfaced Jan. 30 at credit unions, when BSA officers at began receiving emails “spoofed” to resemble those sent by BSA officers at other credit unions.

“The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction,” Krebs reported. “The PDF itself comes back clean via a scan at, but the body of the PDF includes a link to a malicious site.”

NCUA Review Finds No Bank Secrecy Act Data Breach