The privacy and security of protected personal information is of the utmost importance to Texas Dow Employees Credit Union (“TDECU”). This notice contains information regarding a data security incident that involved certain protected personal information collected and maintained by TDECU. TDECU is providing individuals with information about the incident and the services being made available to those who are involved. TDECU continues to take significant measures to protect personal information.

TDECU was notified by a third-party vendor used by TDECU to transfer data, MOVEit, that it was compromised by a bad actor on or around May 31, 2023 in a cyberattack (the “MOVEit attack”). MOVEit is widely used and has publicly acknowledged the incident. Notably, there was no compromise to TDECU’s broader network security.

The MOVEit attack affected thousands of organizations, government entities, private businesses, financial institutions and more around the world, with over 20 million individuals impacted. As such, the volume of data impacted was massive. The extent of MOVEit’s communications to TDECU merely identified the specific documents that were compromised in the attack.

Upon learning of this issue, TDECU immediately commenced a prompt and thorough investigation to determine the nature of the impacted information and any individuals to whom it related. As part of the investigation, TDECU engaged external cybersecurity professionals who regularly investigate and analyze these types of situations and a vendor to comprehensively review the compromised TDECU data to identify impacted individuals, after which TDECU undertook a detailed effort to identify its relationship with and contact information for impacted individuals.

After completing this thorough investigation and analysis, on July 30, 2024, TDECU was able to ascertain that the compromised data contained the personal information of specific TDECU members, employees, and other individuals transacting with TDECU members, and provided notice to those individuals as quickly as possible. The impacted data includes full names in combination with Date of Birth, Social Security Number, Bank / Financial Account Number, Credit / Debit Card Number, Driver's License / Government ID, and Taxpayer Identification Number.

TDECU is not aware of any incidents of identity fraud or financial fraud as a result of the incident. Nevertheless, out of an abundance of caution, TDECU provided notice to the affected individuals commencing on August 23, 2024. TDECU sent notification letters to potentially affected individuals for whom it had enough information to determine a physical address. The notified individuals who have had their Social Security number impacted have been offered complimentary credit monitoring services. Furthermore, notified individuals may take steps to protect themselves including placing a fraud alert/security freeze on their credit files, obtaining free credit reports, and remaining vigilant in reviewing financial account statements, explanation of benefits statements, and credit reports for fraudulent or irregular activity on a regular basis. In addition, individuals who may have had their Social Security number involved are encouraged to enroll in complimentary credit monitoring services provided in the notification letter. For more information on how to best protect yourself from identity theft, please visit https://www.experianidworks.com/3bcredit.

Individuals who have questions or need additional information regarding this incident or to determine if they are notified may reach out to the toll-free response line that TDECU has set up to respond to questions at 866-573-9704. This response line is available Monday through Friday 8:00 a.m. to 8:00 p.m. Central Time, Monday through Friday, (excluding major U.S. holidays).

1. Placing a Fraud Alert on Your Credit File.

You may place an initial one-year “Fraud Alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.

2. Placing a Security Freeze on Your Credit File.

If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:

In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

If you do place a security freeze prior to enrolling in the credit monitoring service as described above, you will need to remove the freeze in order to sign up for the credit monitoring service. After you sign up for the credit monitoring service, you may refreeze your credit file.

3. Obtaining a Free Credit Report.

Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.

4. Additional Helpful Resources.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.

If this notice letter states that your financial account information and/or credit or debit card information was impacted, we recommend that you contact your financial institution to inquire about steps to take to protect your account, including whether you should close your account or obtain a new account number.

If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the city in which you currently reside.