Fairmont Federal Credit Union is notifying over 187,000 individuals that their personal and financial information was stolen in a two-year-old data breach.
A not-for-profit financial organization, Fairmont Federal Credit Union offers services such as business and home mortgage loans, financial first aid, and personal checking. It operates nine regional branches in West Virginia.
The organization discovered the cybersecurity incident on January 23, 2024 and launched a prompt and thorough forensic investigation, concluding on August 17, 2025, that files stolen from its network contained personal information.
The data breach, however, had occurred four months prior to discovery, with the attackers maintaining access to the credit union’s network between September 30 and October 18, 2023.
Now, two years after the fact, the credit union is notifying (PDF) its customers that the hackers stole files containing their names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, financial information, medical and health insurance information, and other personal data.
More alarming is that the stolen information contains full credit card/debit card details, including card numbers, security codes/PIN numbers, and expiration dates. IRS PIN numbers, tax ID numbers, routing numbers, and full access credentials were also compromised in the data breach.
“To date, FFCU is not aware of any incidents of identity theft or financial fraud as a result of the incident,” Fairmont Federal Credit Union says.
Late last week, the credit union told the Maine Attorney General’s Office it is providing written notices to 187,038 individuals affected by the data breach.
The impacted individuals have been provided with 12 or 24 months of free identity theft protection and credit monitoring services
The credit union did not say who was responsible for the data breach, but it appears that it discovered the incident on the same day that the Black Basta ransomware group added it to its Tor-based leak site.
One of the most prolific ransomware gangs, with over 500 victims worldwide and more than $100 million received in ransom payments, Black Basta has been inactive since January 2025.
Related: UK Train Operator LNER Warns Customers of Data Breach
Related: 100,000 Impacted by Cornwell Quality Tools Data Breach
Related: South Dakota’s Noem Says Cell Phone Number Hacked
Related: Hack Exposes Personal Data of Entire Swiss Town: Report
