Co-op Credit Union, a member-owned financial cooperative with over 19,000 members and $305 million in assets, suffered a data breach in April 2025 when a cybercriminal gained unauthorized access to an employee’s email account between April 8 and April 18. The breach was discovered in April, but an investigation concluded on July 23, 2025, confirming that sensitive personally identifiable information (PII) was exposed. The compromised data included names, Social Security numbers, and credit/debit card numbers, putting affected members at risk of identity theft and financial fraud. The breach was reported to the Massachusetts Attorney General’s office on October 21, 2025, and notifications were sent to impacted individuals. The credit union offered 24 months of free credit monitoring via Experian IdentityWorks, but the total number of affected members remains undisclosed. Legal action is being pursued by Shamis & Gentile P.A. for compensation related to damages, out-of-pocket expenses, and emotional distress.
Source: https://www.claimdepot.com/investigations/co-op-credit-union-data-breach-2025
TPRM report: https://www.rankiteo.com/company/coopcu
"id": "coo5102351102225",
"linkid": "coopcu",
"type": "Breach",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Undisclosed (Members at risk)',
'industry': 'Banking/Financial Services',
'location': 'Massachusetts, USA',
'name': 'Co-op Credit Union',
'size': '19,000+ members, $305M in assets',
'type': 'Financial Institution (Credit Union)'}],
'attack_vector': 'Compromised Employee Email Account',
'customer_advisories': ['Enroll in credit monitoring.',
'Check financial statements for fraud.',
'Contact credit bureaus for fraud alerts.',
'Seek legal counsel if impacted.'],
'data_breach': {'data_exfiltration': 'Possible (Under Investigation)',
'personally_identifiable_information': ['Full Names',
'Social Security '
'Numbers',
'Credit/Debit Card '
'Numbers'],
'sensitivity_of_data': 'High (SSN, Payment Card Data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data']},
'date_detected': '2025-04-2025',
'date_publicly_disclosed': '2025-10-21',
'description': 'Co-op Credit Union discovered that a cybercriminal '
'temporarily accessed one of its employee email accounts '
'between April 8 and April 18, 2025. An investigation later '
'determined that sensitive personally identifiable information '
'(PII) may have been accessed, including names, Social '
'Security numbers, and credit/debit card numbers. The breach '
"was disclosed to the Massachusetts Attorney General's office "
'on October 21, 2025, and affected individuals were notified '
'by mail. The credit union is offering 24 months of free '
'Experian IdentityWorks Credit 3B credit monitoring services '
'to impacted members.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage (Ongoing '
'Investigation)',
'data_compromised': ['Names',
'Social Security Numbers',
'Credit/Debit Card Numbers'],
'identity_theft_risk': 'High (PII Exposed)',
'legal_liabilities': 'Potential Lawsuits for Compensation (Class '
'Action Investigation by Shamis & Gentile '
'P.A.)',
'payment_information_risk': 'High (Credit/Debit Card Numbers '
'Exposed)',
'systems_affected': ['Employee Email Account']},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible (Under '
'Investigation)',
'entry_point': 'Compromised Employee Email Account',
'high_value_targets': ['Member PII',
'Financial Data']},
'investigation_status': 'Ongoing (Disclosure Phase; Class Action '
'Investigation Underway)',
'motivation': 'Likely Financial Gain (Identity Theft/Fraud)',
'post_incident_analysis': {'corrective_actions': ['Credit Monitoring for '
'Affected Members',
'Fraud Prevention Guidance'],
'root_causes': ['Unauthorized Access to Employee '
'Email']},
'recommendations': ['Enroll in free 24-month credit monitoring (Experian '
'IdentityWorks Credit 3B).',
'Monitor financial statements for suspicious activity.',
'Place a fraud alert on credit reports.',
'Request free annual credit reports from major bureaus.',
'Consider legal action for compensation if affected.'],
'references': [{'source': 'Shamis & Gentile P.A. (Class Action '
'Investigation)'},
{'source': 'Co-op Credit Union Data Breach Notification '
'(Mail)'},
{'date_accessed': '2025-10-21',
'source': "Massachusetts Attorney General's Office "
'Disclosure'}],
'regulatory_compliance': {'legal_actions': 'Potential Class Action Lawsuit '
'(Investigation by Shamis & '
'Gentile P.A.)',
'regulatory_notifications': ['Massachusetts '
"Attorney General's "
'Office (Disclosed on '
'2025-10-21)']},
'response': {'communication_strategy': ['Disclosure to Massachusetts Attorney '
'General',
'Direct Mail Notifications to '
'Affected Members',
'Public Advisory via Shamis & Gentile '
'P.A.'],
'incident_response_plan_activated': 'Yes (Investigation '
'Conducted)',
'recovery_measures': ['Member Notifications via Mail',
'Fraud Alert Recommendations',
'Free Credit Report Guidance'],
'remediation_measures': ['Free 24-Month Credit Monitoring '
'(Experian IdentityWorks Credit 3B)']},
'stakeholder_advisories': ["Massachusetts Attorney General's Office",
'Affected Members (via Mail)'],
'threat_actor': 'Unknown Cybercriminal',
'title': 'Co-op Credit Union Data Breach (April 2025)',
'type': 'Data Breach (Unauthorized Email Access)'}