In November 2018, the Washington State Employees Credit Union (WSECU) suffered a data breach at its drive-thru ATMs between October 1 and October 31, 2018. The incident involved card skimmers malicious devices installed on ATMs to secretly capture payment card details. Approximately 2,560 individuals were affected, with their cardholder names, account numbers, CVV codes, and PINs potentially exposed. The breach was discovered and reported by the Washington State Office of the Attorney General on November 16, 2018. The compromised data could enable fraudulent transactions, identity theft, or unauthorized account access, posing financial risks to the victims. While the breach was limited to ATM skimming and did not involve broader system infiltration, the exposure of sensitive payment card information including PINs heightened the severity. WSECU likely took corrective measures, such as reissuing cards, monitoring affected accounts, and enhancing ATM security, but the incident underscored vulnerabilities in physical transaction points. The breach primarily impacted customers’ financial security, with potential reputational damage to the credit union due to the loss of trust in its ATM infrastructure.
TPRM report: https://www.rankiteo.com/company/washington-state-employees-credit-union
"id": "was547091725",
"linkid": "washington-state-employees-credit-union",
"type": "Breach",
"date": "10/2018",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '2,560',
'industry': 'Financial Services',
'location': 'Washington State, USA',
'name': 'Washington State Employees Credit Union '
'(WSECU)',
'type': 'Credit Union'}],
'attack_vector': 'Physical (Card Skimmer at ATMs)',
'data_breach': {'data_exfiltration': 'Yes (via Card Skimmers)',
'number_of_records_exposed': '2,560',
'personally_identifiable_information': ['Cardholder Names',
'Account Numbers',
'CVV Codes',
'PINs'],
'sensitivity_of_data': 'High (Financial and Personal Data)',
'type_of_data_compromised': ['Payment Card Data',
'Personal Identification '
'Information (PII)']},
'date_detected': '2018-11-16',
'date_publicly_disclosed': '2018-11-16',
'description': 'The Washington State Office of the Attorney General reported '
'a data breach involving the Washington State Employees Credit '
'Union (WSECU) that occurred at drive-thru ATMs between '
'October 1 and October 31, 2018. The breach involved card '
'skimmers that acquired the data of approximately 2,560 '
'individuals, potentially exposing cardholder names, account '
'numbers, CVV codes, and PINs.',
'impact': {'brand_reputation_impact': 'Potential Negative Impact (Likely)',
'data_compromised': ['Cardholder Names',
'Account Numbers',
'CVV Codes',
'PINs'],
'identity_theft_risk': 'High (Potential for Fraud)',
'payment_information_risk': 'High (Card Data Exposed)',
'systems_affected': ['Drive-Thru ATMs']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (Common for '
'Skimming Operations)',
'entry_point': 'Physical ATM Skimming Devices',
'high_value_targets': 'Payment Card Data'},
'motivation': 'Financial Gain (Likely)',
'post_incident_analysis': {'root_causes': 'Lack of Physical Security Measures '
'at ATMs (Likely)'},
'references': [{'source': 'Washington State Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Washington State '
'Office of the Attorney '
'General'},
'response': {'communication_strategy': 'Public Disclosure via Washington '
'State Office of the Attorney General'},
'title': 'Washington State Employees Credit Union (WSECU) ATM Card Skimming '
'Incident',
'type': 'Data Breach (Card Skimming)'}