South Carolina bank notifies 240K people about data breach claimed by ransomware gang

SRP Federal Credit Union yesterday confirmed it notified 240,742 people about a September 2024 data breach that compromised their private information.

SRP did not publicly disclose what data was compromised, but it is offering victims free identity theft protection. That usually implies Social Security numbers and other info that could be used for identity fraud were among the data.

Ransomware gang Nitrogen claimed responsibility for the attack and demanded $400,000 in ransom. The group posted scans of what it says are documents stolen from SRP to prove its claim. Nitrogen says it stole members’ names, Social Security numbers, dates of birth, addresses, account numbers, and credit ratings.

SRP has not verified Nitrogen’s claim. We do not yet know if SRP paid a ransom, how much Nitrogen demanded, or how attackers breached SRP’s network. Comparitech contacted SRP for comment and will update this article if it responds.

SRP’s notice to victims states, “The forensic investigation determined that an unknown, unauthorized third party accessed our computer systems at times from September 5, 2024, and November 4, 2024, and potentially acquired certain files from our network during that time. This incident did not impact our online banking system or core processing system. ”

SRP is offering victims 12 months of free credit monitoring and identity theft protection via Experian.

Who is Nitrogen?

Nitrogen is a relatively new ransomware gang that began adding targets to its leak site in September 2024. It claimed three confirmed ransomware attacks so far, plus another 13 that haven’t been acknowledged by targeted organizations.

Nitrogen’s two other confirmed attacks were on Red Barrels, a Canadian video game studio hit in October, and Management Data Systems International, which was attacked in June.

After a hiatus in November, the group made five claims in December including SRP. The other four were against companies based in Houston, Texas.

Ransomware attacks on US finance

Ransomware attacks on finance companies can steal confidential data and disrupt operations that lead to delays and data loss. Aside from data theft, ransomware often encrypts affected systems so they can’t be used until a ransom is paid to decrypt them. Ransomware groups demand additional ransom be paid in exchange for not selling or publicly releasing stolen data.

In 2024 so far, Comparitech researchers logged 43 confirmed ransomware attacks on US banks and other financial companies, compromising more than 34 million records. The number of attacks is lower than last year
(60), but the number of records compromised skyrocketed in 2024 (13.4 million). This attack on SRP is the seventh-largest such attack this year.

Other recently-confirmed attacks on the US financial sector include those on Howard, Howard and Hodges, a CPA hit by BlackLock in September; Capital Fund 1, a lender hit by RansomHub in July; and Liberty First Credit Union, a bank hit by RansomHub in September 2024. Liberty First notified 52,496 people about the breach.

About SRP Federal Credit Union

SRP Federal Credit Union is a member-owned bank with two dozen locations in South Carolina and Georgia. It serves more than 195,000 members, according to its website.