235K members of Minnesota-based credit union notified of data breach after cyberattack

Thousands of members of Blaze Credit Union, the fourth-largest banking nonprofit in Minnesota, are learning that computer hackers accessed highly sensitive personal information like Social Security numbers in mid-August.

About 235,000 active Blaze member accounts may have been exposed by the hack four months ago. Notices of the data breach were mailed in early December to those whose personal information was confirmed as compromised.

Blaze’s computer systems were not accessed directly. Instead, the hackers stole the information from a third-party vendor based in Plano, Texas, called Marquis Software Solutions, which offers marketing services to Blaze and roughly 700 banks and credit unions nationwide.

The incident comes as financial institutions, health care companies and government entities face escalating threats from cybercriminals seeking to steal valuable information from their private computer networks. Stolen information is often used for fraudulent purposes and traded on the dark web, according to cybersecurity experts.

Marquis declined to answer questions.

In a statement, the marketing company said the “data security incident” immediately triggered a response and prompted Marquis to take its customer systems offline. The company hired a cybersecurity firm to conduct an internal investigation and notified law enforcement.

Blaze officials said they are taking the issue seriously.

Carlson said Blaze is evaluating its legal options with regard to Marquis and has started taking the “necessary steps to separate from Marquis.”

Suspicious activity was first discovered on Marquis’ computers Aug. 14. In late October, an internal investigation revealed Blaze accountholder information, including names, dates of birth, addresses and Social Security numbers, had been accessed and copied.

Notices first went to Blaze members Dec. 5. The credit union said the internal investigation required time to determine which customers were affected. Blaze said Marquis initially claimed in mid-August that its members’ data appeared to be safe, but after finishing the investigation in October, the contractor confirmed that Blaze members’ info in fact was compromised.

Affected accountholders are being offered 12 months of credit monitoring and identity theft protection services, carrying coverage up to $1 million.

Blaze said its employees were informed of the breach at the same time as its members. Branch employees, the call center and an “escalation team” were prepared to handle concerns related to the incident.

Nearly two dozen personal injury lawsuits have been filed against Marquis in federal court since late November. Multiple banks and credit unions are listed as co-defendants. In one typical case, two Ohio residents sued Marquis and their West Virginia bank for alleged failure to provide adequate safeguards to their personal data or a timely notification of the breach.

On Dec. 16, an Eden Prairie man filed a civil lawsuit against Blaze in Ramsey County over the data breach. The lawsuit claims the threat to his personal information will outlast any service offered to protect his identity and credit. Blaze has yet to file a legal response to the lawsuit.

Data breaches frequently go unreported to affected customers for months.

In some cases, it’s because the business may be unaware of unauthorized access to its computer files. It’s also common practice to hire outside cybersecurity consultants to conduct a thorough investigation of the scope and origin of data breaches and notify local and federal authorities. Many cases include an offer for some form of identity monitoring on behalf of affected customers.

Minnesota law requires businesses to disclose data breaches directly to affected consumers “without unreasonable delay.” But the state does not maintain a public registry of data breaches, as some states have created in response to rising incidents, including California, Maine and New Hampshire.