Update on Incident on 14th February 2018

Please consult this page if you have any questions about the letter that you will have received regarding the cyberattack that Sheffield Credit Union recently suffered. If you are a member of Sheffield Credit Union and have not received the letter, please contact our offices.



Update from 09/05/18:

Why were we only informed 2 months later?

When the attack happened on 14/02/18 it was believed to be a style of attack where the data is locked and a ransom demanded to unlock it. Our IT specialists assured us that no data had been compromised. Our data back-up processes allowed us to restore our data quickly and effectively from backup files which had been produced before the attack.

It was discovered on 16th April that the attack was more serious, and actually involved the hackers copying data held on our server. The hacker made contact with us, demanding a ransom. South Yorkshire Police and Action Fraud were notified immediately, as were the Information Commissioners Office (ICO), and our regulators – the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).

We began drafting a letter immediately, to inform members, and took advice from the ICO and FCA. We wanted to be open and honest with our members and inform them without delay. We began printing and posting the letters the same week.


Why has there been no official announcement, despite the fact the data breach has made the news?

Being open and honest with our members was our main priority. We were keen to ensure all 15,000 letters had been printed and sent out to members, so that we could deal with any of your concerns. We also wanted to inform the organisations we work with prior to making any press release. Once we had completed this a press release was made on 04/05/18.


How did the attack happen in the first place?

For security purposes we are not able to disclose all the details. We are assured by our IT specialists that an attack of this nature could no longer be successful. We have also engaged the services of a specialist cyber security consultancy firm to give a second opinion.


What security has the Credit Union put in place so that this type of incident doesn’t happen again?

Recommendations have been made to us by our IT specialists, following their review of the attack in February. These recommendations have all been put in place. We will continue to review our security on a regular basis to ensure we are able to protect against future threats.


Original Post from 26/04/18:

Is the on-line/members area safe to use?   

Yes, no passwords, PINS or share withdrawals are stored anywhere on the organisation’s systems.


Is my money safe in the credit union?

Yes, we have added extra security when dealing with members over the telephone and will be carrying out our usual face to face checks.  As we operate manual systems, you can be sure that all requests will be sent to your chosen bank account after being verified by a member of staff.


Why has this only just been reported? 

We only became aware of this very recently, and have communicated with our members as quickly as possible.  It is often the situation with these attacks that the organisation is not able to inform those affected for some time, as you may have noticed if you have been notified of attacks on other organisations.


Do we need to change our passwords? 

If you wish to submit a new BACS authorisation form, with a new password, you may, but as stated previously, no member is able to make a withdrawal over the phone without passing additional security checks, and funds are sent to the account you have registered with your credit union account.


Can somebody take out a loan in my name? 

This is always a possibility, even with information that other organisations hold on you.  We advise that you check your credit record regularly, as mentioned in the letter and in the advice on the Money Saving Expert site.


Can somebody access the bank account I have registered with Sheffield Credit Union? 

Banks have their own security methods for logging in.  You do not store your online passwords or security details for your bank account with Sheffield Credit Union and so nobody will be able to access your bank account online with the information obtained from the cyber attack.  As good practice generally with online safety, you may wish to ring your bank and set up alerts for your bank account.  These can usually be texted to you. We would also suggest you check your bank regularly, and if you identify anything unusual, contact your bank and Action Fraud.


How can I prevent unwanted phone calls? 

You can register with the Telephone Preference Service (www.tpsonline.org.uk/tps) or your phone provider may be able to set up call screening to block unwanted calls, as many providers offer this service.


How did this happen?  

As with attacks of this nature, this often takes some uncovering.  Cyber-criminals adapt to new technology and organisations seek to keep one step ahead of this.  We can assure you that the police and Action Fraud are investigating this fully.


We will continue to update this page with answers to questions that members ask.  Please do not hesitate to ring or email with your questions to add on to the web page.