LIVONIA, Mich. – February 9, 2024 – Today, CUSG is notifying its credit union industry clients regarding a recent temporary vulnerability in its internal CRM system. Not connected to any CUSG products or credit union member data, the internal CRM system was immediately investigated. CUSG does not believe any client data was actually breached or misused and the vulnerability stemming from a third-party platform was rectified within 24 hours.
CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed "researcher" who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a "bounty" to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, "HACK READ." These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested "bounty."
CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified "on the same day."
Mr. Fowler’s blog post was actually quite informative regarding the differences between banks and credit unions and was helpful in providing cautions regarding the risks associated with CRM system security specifically. However, CUSG finds the public broadcasting of this information to be reckless, alarmist and exaggerated.
An important statement by Mr. Fowler in his personal blog that should be reported by anyone wishing to cover this story is shown here.
From Mr. Fowler: "I do not imply any wrongdoing, negligence, or imminent risk to CUSG, their CRM provider or their customers. I also emphasize that there is no evidence to suggest that the data was ever at risk or exploited for fraudulent purposes."
In his Website Planet blog, Mr. Fowler has done similar "research/publication" work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.
CUSG CEO Dave Adams, summarized this incident this way: "While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer "call to action", and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled."
Continuing, Adams expressed confidence in CUSG’s Internal Technology security: "For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency."