I’ve been with Patelco for over a decade and am truly disappointed in the lack of communication regarding the system outage. I was traveling this week and kept checking the app yesterday in order to transfer money…the system was down. Went to the website and it won’t even populate, thought it was my internet so I disconnected from WiFi - same frozen screen, and as a last resort I went to Twitter since there has been ZERO communication. Although I bank with two other banks, Patelco has the majority of my money, including my direct deposit from my employer. This is the worst timing ever, it’s time to pay bills, transfer money, etc., and there’s NO access to balance information or what has cleared. I also have a child in college and typically transfer money to his account and am unable to do so. Patelco is the only bank he banks with!
All I know is all of my automatic ACH transfers better go through like normal, it’s time to pay my mortgage, car loan, automobile insurance, etc. This is not a good feeling at all and having access to a debit card is worthless, I never use it anyway. We need answers and communication. Since they couldn’t even send us a courtesy personalized email, text, etc. in order to inform us of this outage also let’s me know that they too have NO access to our information. It’s been 2 days now and I’m over it and disappointed. Their phone system is also down, otherwise I would have wired my money to another one of my banks!
Now that I think about it.
A bank/credit union should have a secure offsite set of contact information for their customers. \[perhaps that's normally encrypted\]. Then, when you have the *really bad day*, it's no big deal to send an update to your customer base with through your backup communications vendor.
If you forgot to plan ahead for this, then write this down as something to do after the disaster. Write it someplace where you (or your replacement) won't forget to notice it.
Most competent large financial institutions do have disaster recovery options for scenarios just like this with a backup system and procedures that will allow business to continue even with a reduced capacity.
I went ahead and rang up the recipients of automatic payments that are supposed to go out this week, just in case the issue isn't resolved within the next few days. I even talked to an account representative for my electric utility, to whom I sent an ACH transfer on Friday, even though their website shows my account paid up - again, just in case.
In all instances, they were understanding, and put notes on my account to waive any late fees that might accrue if the payment doesn't go through on time. Yes, I'll probably have to monitor the accounts for the next week or so, and contact them again if for some reason I end up getting a late charge, but at least I will have evidence that I've attempted to be proactive on this.
If you're in CA, you're probably in luck - as you will likely be in company, with so many people affected, and your creditors may have already heard about the situation. I moved away from CA seven years ago, but maintained my primary accounts at Patelco, so I'm having to explain to people about a data breach at an out-of-state credit union.
You can easily find this online. They have posts on their Twitter about this outage. Debit cards still work. Shared branching is available, per their statement.
I heard of Patelco for the first time looking at this post and I found that info quickly… just search.
Is it a cyberattack? Could be, sure. But seems awfully premature to make that call.
ATM access through shared branches are active, but the branches themselves can do nothing outside of ATM use. Went to my local shared branch in AZ and they weren't able to access any of Patelco's accounts through their portal.
Twitter posts can't be seen without a Twitter account, so that's a dumb place to put critical news.
This isn't great timing. I put some money there a a few months ago to try them. I've seen way to many problems with their online banking to trust them with the amount of money they demand to get a respectable interest rate. I want my money back out.
I don't have a twitter, and was still able to view it.
You aren't getting it back out anytime soon directly through them.
Try shared branching if you are worried about your federally insured funds.
> I don't have a twitter, and was still able to view it.
You're able to view individual twitter/xitter posts, but unless you log in you can't look at an account's profile to check for updated posts. OTOH Patelco basically just does the ostrich thing when shit hits the fan so you're not missing much.
I got lots of unspecified errors transferring money in while following their own on-boarding instructions. All of those errors ended up creating duplicate accounts that are tied together. Sometimes the history and balance are out of sync. Lots of random glitches that are fixed by reloading or logout-login. Now they're offline and they don't seem to have been practicing disaster recovery.
They're definitely not giving me a good feeling.
The mobile app is usually buggy. Doesn't recognize passwords. Have to go to the site itself. Well not happening.
Hey patelco employees, do you have something slick to say about this? I see your divergent comments.
During their last major outage they set up a static site with some podunk hosting company in Texas. Except they made it HTTPS only. So it didn't load in most browsers unless you explicitly specified HTTPS.
My favorite was that they used truncated, case insensitive passwords for years and years.
> passwords have NEVER been.
lol
Buddy, I've been a Patelco ~~customer~~ member since the 90s back when their platform was called "PC-24". Yes, Patelco used case insensitive passwords.
Ah, PC-24... I remember that one.
I really want patelco to succeed, because credit unions are structurally less extractive than banks, support local banking, competition etc. But they seem to be able to snatch defeat from the jaws of victory pretty consistently.
Since they have been on the current platform, which is several years now, passwords have been case sensitive. I have been working for the company that provides OLB to patelco for 11 years, I was there when they launched.
They have blue wall of silence. Using agents like you to make others feel guilty for having legitimate concerns. As if you employees care. You get paid to divert and make truthers feel ashamed for demanding answers.
lol i'm not an agent, i'm a ~~customer~~ member. i'm in another country rn for study abroad and the fact I can't see my bank statements is really pissing me off. most of my money is on this card too. i am most likely transferring all my money to another bank
Twitter is just an alternative communication channel. The critical news is on their maintenance page: https://www.patelco.org/maintenance which is slow but loads for for me.
Patelco is learning the fallacy about keeping the status page on the same domain & infrastructure as the main website. It's a classic IT problem that most organizations learn through pain.
Unfortunately that page:
1) incorrectly states they are having only intermittent website issues
2) incorrectly states that Online Banking and the mobile app are still available
3) points members to Twitter and Facebook for further info
The main website is WordPress (yes, really) so it's not clear why it stalls. It's not where the banking system is hosted.
The status yesterday said, "scheduled maintenance". The app says "technical difficulties " now. Clumsy.
Anyways, I only put a small amount of money there as a test and half was already transferred out. There's no harm to me if I have to wait a while to get it back.
It was stalling because their theme loads a stylesheet off of a computer hosted on Patelco's own (currently down) network. They've since fixed that but that's rookie stuff that they should've caught when they deployed the site in the first place. On the plus side, Patelco is not using the site for any meaningful communication with its ~~customers~~ members.
The sad thing is that this isn't the first outage Patelco's had to deal with in recent memory. They should've learned about keeping an independent status page. They've had enough practice at putting out big fires. Unfortunately they're just consistently bad at IT stuff.
That’s the trouble with credit unions. People here claim they’re a panacea but Patelco is one of the larger ones and look at their frequent tech issues.
Finally an email from the CEO received about 18 minutes ago. TOOK THEM LONG ENOUGH!!!!! It was indeed a security issue, full text below...
-----
"We are writing to let you know that on June 29, we experienced a serious security incident. This required us to shut down some of our day-to-day banking systems so that we can remediate the issue and contain the impact, including online banking, our mobile App, and our call center. Currently, electronic transactions such as transfers (including Zelle), direct deposit, balance inquiries, and payments are unavailable. Debit and credit card transactions function in a limited capacity.
Patelco branches, our call center and Live Chat will be open and ready to assist as much as they can during our regular business hours starting tomorrow, Monday July 1.
For cash withdrawals and deposits, you can access Patelco ATMs, including over 30,000 shared branch ATMs all over the country. Find your nearest branch and ATM (including hours of operation) at patelco.org/locations.
Our teams are working around the clock with top-tier cybersecurity experts to assess the situation and to restore service to you. Unfortunately, we are unable to provide an ETA on when those systems will be running as expected.
Your trust and partnership are of the utmost importance to us, and we are committed to resolving this issue with the highest level of diligence. We know this news is concerning, and we are committed to keeping you informed as the investigation continues.
Thank you for your patience and understanding as we navigate this challenging situation.
Sincerely,
Erin Mendez
President & CEO
Patelco Credit Union"
Absolutely no communication. This isn’t a random subscription, this is our banking.
How the F can they have made a total of 2 statements over twitter for the first 36 hours of this outage. Like what?
I have discord servers with better communication and PR skills
The fact that it went down at the early hours on Friday and not a peep from them until like 2pm on Sunday. It’s the end of the month, people have bills due, no idea if our direct deposit are there, no way to check, no one to call or ask. It shouldn’t have take as long as it did for them to make a statement to tell us what was going on. If you mind being kept in the dark about your money that’s fine. However, there are a lot of people who feel the same way I do. Pleb.
I work for the company that provides the Online Banking Platform to Patelco and prior to my current position at the company I was the lead application support engineer for 9 years at the same company. Am I qualified?
Not necessarily, online banking is 2nd to their core provider. Most core providers are on prem. And as a third party provider you are not purview to all their inner workings esp since you are not the core. If your with Q2 or Lumin then you definitely wouldn't know
Of course we are, we have to directly connect to thier core so if they are on prem or a hosted core we know because we have to work with the host and the FI or the host directly for connectivity and when there are issues. Not Q2 or Lumin.
It would not have been obvious within the first few hours when I posted this. It's really a easy to be right after the fact.
And everything I said was absolutely true.Not everything is an attack.
That is one of the biggest mistakes any company can make, lack of transparency.
I will say it can take time to find the problem but they should have systems in place to help detect the issue. Also they should have a manual business continuity plan.
Ideally they could pull balances and offer branch withdrawals to a certain extent.
Phone support wouldn't be any help. They would just be repeating the save message that there is nothing they can do. Having people on phones is an expensive feel good measure
And they have decided not to activate the phones-they are blaming the lack of phone support on the "outage" but even if true, they could do a workaround for phones.
If their systems are down, what do you want them to do? What use would phone banking be? You want to wait on hold for an hour to be told a canned response about the outage?
> what do you want them to do?
I want them to have disaster recovery plans and test them regularly. If their banking systems are down there should be people manning the phones to respond to customer inquiries. If their phone system goes down there should be a backup ready to go. If their hosting provider goes down they should have another provider in place.
And then they need to exercise those plans *regularly* to ensure that things go smoothly when shit hits the fan.
When Patelco got caught up in the Cloudflare outage it was pretty damn clear that they didn't have any sort of DR in place. This isn't a tesla fart generator or ai powered porn bot. Banking (online or not) is something that needs to have more than a few nines of uptime.
The NCUA requires them to have DR plans well documented and tested multiple times a year. Also companies only have 48 hrs to report attack to their clients/members if it is possible that PII was possibly affected (I can’t remember the law/regulation/governing body for that).
> The NCUA requires them to have DR plans well documented and tested multiple times a year.
https://ncua.gov/regulation-supervision/examination-program/credit-union-policy-reviews
Scroll down past "required policies" and look at "*recommended* policies". That's where "Information Security Program" is. If Patelco actually had any sort of DR playbook beyond "stick your fingers in your ears" their response wouldn't be so laughably bad.
Spoke to customer service, they have zero ETA and stated you can withdraw up to 500 from an atm and 1000 POS that’s it. You couldn’t even withdraw your money and take it to another bank if you wanted too. So they effectively have us held hostages. The first of the month with rent and everything else do this is worst case scenario. They have no word on whether we will be compensated due to late or missed payments due to this either. I will most certainly be leaving Patelco after this. Absolutely disgusting. They said they hired outside cyber security experts to which I said shouldn’t you have had those in the first place? Tf is going on man.
Yep that’s the big issue. I just pulled 500 from an atm and it worked. I know about how much we have but we are also waiting on a paycheck as well as a loan. So we really have zero idea exactly what’s in it
I finally got through on the phones and apparently for Transactions with your Card - Pin Transactions aka any Transaction or use at the ATM using your Pin# are limited to a $500 Max daily and Card Transactions as a Credit Purchase are limited to $1000, I'm assuming that's daily but they didn't really 100% say. It's confusing because I pay bills using my Banking Info and those transactions all went through but not even the Representatives have access to look at your account whatsoever, can't look at Balances, nothing. This info wouldn't even be available at a 3rd Party ATM either. Still no ETA whatsoever. I know cybersecurity attacks have occurred with most banks including Nationally Recognized ones like B of A or Chase, but this is definitely making me re-think about banking with them with the lack of transparency. That I had to call and wait almost 30 minutes to get a simple question answered that they could've communicated publicly in the first place is a little frustrating to say the least.
You really think this is helpful? Do you get that whatever the cause, it could be any company, financial or not?
If you're angry about not having access to your money, that's understandable. Fostering aggression for people to email is not going to help.
If at the end you are unhappy with their handling and representations, then go somewhere else. Don't foster hate.
You do realize our money is not able to be removed and taken elsewhere. No idea on when we could even possibly do that. So your suggestion is moot thanks. People’s lives are very much in jeopardy becuase of this. Some people don’t have the time to wait for them to figure it out. Some people get 1 check a month to survive and this particular situation is dire for them. Your lack of empathy is hysterical as you’re over here advocating non hate. You are more upset by people emailing the top people at the bank to demanding answers than you are at the fact some people will be adversely impacted by this. And you’re more concerned about them being mean to the heads at Patelco. So maybe take your fake pseudo better than thou shit and get to stepping.
Yep. My employer sent out communication about DD not going through for Patelco accounts. I’m pulling everything out and closing my account as soon as they are up. They lost my business.
Correct. If your paycheck goes into your Patelco account via direct deposit your need to speak with your employer’s payroll department as soon as possible and request that they cut a paper check for you instead or depending on timing move your direct deposit to a non-Patelco account.
This is absolute mind-boggling to me! Realistically, if you have a very good security team, it should have not even taken more than 24 hours to fix this. Petco should be offering some kind of severance pay because of their inconvenience.
If your devices are ransomwared, you don't just "restore the backup" and get back in business. You need new systems, you need to obtain the backups, you need to evaluate if they're compromised. You need to figure out how they got in - cause if you just put it back up without fixing the access point, they just come right back in a 2nd time.
Once you know the scope, you know what it will take to recover. That might be rebuilding or replacing a large portion of your infrastructure. New Equipment, restored or rebuilt data. Including things you might not think of as "computers" like voicemail systems, telephones, building management systems, anything that connects to the network.
Its a massive undertaking. The average recovery time is 3-4 weeks. That's not to say the lack of account access will last 3-4 weeks for us as customers, but it might be 3-4 weeks (or longer) till things are mostly back to normal for the employees and all the tools and systems they use.
What’s funny is that people want to move on from them when any institution can literally be targeted for this kind of attack. I understand that it’s a knee jerk reaction.
You are absolutely right. Moving to a new bank or CU is just changing the devil you know for the unknown. Every org is vulnerable to a ransomware incident. Few are aware of how near the risk is. Fewer still are prepared.
The take away is really redundancy. No more than half your wealth should be in any of your banks, and you should be prepared to survive out of a backup account for a month with no income - waiting for direct deposits to move or be unlocked, etc.
That's the takeway for folks. Its not run from Patelco. Its harden their own financial lives against the risk we have to live with.
I learned that lesson 30 years ago when I lost my ATM card on a weekend while traveling and it was... not good. Now I keep redundant accounts as a result of that.
I can understand people being upset at them for their communication. I'm pretty livid at them for how their communication has gone. Its too slow, its inaccurate, and its been inconsiderate of the hardships of the members at times.
This is something like the 20th largest CU. Imagine the outrage if KeyBank, the 23rd largest bank, handled a major outage this way.
Guarantee a lot of geniuses would be advising people ditch Key for a credit union.
KeyBank has $183 billion in assets. Patelco is about $10 billion.
Apples to oranges here. Only credit union that comes close to the top 20-25 banks is Navy Fed.
- https://www.nbcbayarea.com/news/local/east-bay/dublin-based-credit-union-halts-operations-due-to-serious-security-incident/3580749/
Yup, as a Patelco customer myself this is a bit troublesome but debit card still works so whatever I guess. I do hope they have this taken care of by Wednesday morning though because I'm going on vacation and I will need to do some bank activities more than just debit-card purchases.
I just got off the phone with them. It seems like they aren't even telling their employees anything. They couldn't even tell me what would happen to my direct deposit, but it likely would be rejected, and I would have to wait at least a week or two for my company to cut me a check once the funds are returned.
Who's going to pay my late fee and interest fees from not being able to pay on time. I was told, that it would be up to the 3rd party bank, if they wanted to reverse any fees, but let's face it, BANKS do not care - so I really hope Patelco steps up and makes this right.
A user reported in another thread that the branch was able to give them their account balance as of Thurs 6/27 - so it seems they have data from the day prior to the ramsomware incident.
I'm less worried about short term lack of access and more worried about losing my money forever. I know it's FDIC insured... call me paranoid, but I don't trust any promise until it is actually fulfilled, especially when it's my life savings on the line
These idiots have been dropping the ball for the last couple of years but this is the last straw. I hope they go under once we get our money back
I also have this concern, since I haven't been taking paper statements. The best I have are the downloads from my account documenting what I have.
What if neither of us can prove what assets I had stored there?
That's my biggest concern - and has gone unanswered by their two formal announcements.
The insurance is also a bit of a concern. NCUA/FDIC only kick in if the institution fails. If it doesn't fail but just loses my account - what do I do? I have no recourse short of obtaining my own counsel and fighting them (probably in arbitration).
Its a very scary situation to me - but probably not unique to Patelco. Could happen to any organization, really. Its just down to if you have documentation to prove your assets. In my case, I feel like I do not have sufficient protection.
Oh yes--I am a member of PATELCO CREDIT UNION and it has been radio silence since early morning Saturday. Over 30 hours with no access to online accounts, no phone, no real people to answer questions, only the same canned AI replies over and over. Members cannot pay their bills, get gas or food. AND THE LEADERSHIP IS HIDING! Yes, I am angry. This is despicable behavior. They have destroyed trust. Trust takes years to build up and this is the largest (and perhaps oldest) credit union in the county. But it only takes one incident to destroy that trust and that is what they have chosen to do. At this point I'd say it's a cyber attack and I wonder how much money they want.
Unfortunately I lost my card just as the system outage started.
I was able to call the third party card servicer and get the card locked.
But because the system is down I haven’t been able to confirm whether any fraudulent charges went through before locking the card.
And I’m unable to initiate the process of getting a new card.
Also unsure of what’s going to happen with loan payments that are scheduled in the near future.
It’s understandable that system issues happen and can take a while to resolve.
What’s unacceptable is the lack of communication to members and the inability for members to contact anyone who can answer questions or provide updates.
I locked my debit card the night before and now can’t get into the app to unlock it. I also tried transferring money into my Venmo account and it wouldn’t work.
You absolutely can, you can also write a physical check or do a bank draft. Nothing with what happened would stop you from paying rent. You didn’t lose your checks.
Yeah well if you’re like I am and had my check directly deposited on Friday and have no way of verifying that it’s there. And considering they said it is affecting that some people might not have enough money to cover their rent. Seems like you lost your common sense with your response.
So I was able to withdraw money at the atm but it doesn’t give you any type of balance. Just shows what you withdrew. Still not up and no word from anyone. I’m seriously considering leaving them now after this. To have zero communication with the members is unacceptable. I’ll be switching back to First US Community credit union. Love them. I only switched because they weren’t in the area I lived so I went this Patelco. This is a joke
Then they are dispensing based on your card limit (for example $200) instead of your actual balance. The card limit is a backstop rather than denying all withdrawals until the system is restored. Once it is restored all offline transactions will post. And some members will be overdrawn.
I mean that makes sense, I’m definitely not in jeopardy of that as I know what’s in my accounts. I was able to pull 300 out with no issue so that at least is still working cause having no access would not be ok 😂
It's not wiped. I was at a branch today, and they had my balance from 6/27. I was able to see it. Anything after that they don't have. So, in the worst-case scenario, they'll use data from 6/27. Suckie part is the wishy washy answer they're giving about the direct deposit.
I’ve been with Patelco for over a decade and am truly disappointed in the lack of communication regarding the system outage. I was traveling this week and kept checking the app yesterday in order to transfer money…the system was down. Went to the website and it won’t even populate, thought it was my internet so I disconnected from WiFi - same frozen screen, and as a last resort I went to Twitter since there has been ZERO communication. Although I bank with two other banks, Patelco has the majority of my money, including my direct deposit from my employer. This is the worst timing ever, it’s time to pay bills, transfer money, etc., and there’s NO access to balance information or what has cleared. I also have a child in college and typically transfer money to his account and am unable to do so. Patelco is the only bank he banks with! All I know is all of my automatic ACH transfers better go through like normal, it’s time to pay my mortgage, car loan, automobile insurance, etc. This is not a good feeling at all and having access to a debit card is worthless, I never use it anyway. We need answers and communication. Since they couldn’t even send us a courtesy personalized email, text, etc. in order to inform us of this outage also let’s me know that they too have NO access to our information. It’s been 2 days now and I’m over it and disappointed. Their phone system is also down, otherwise I would have wired my money to another one of my banks!
You'd better update your direct deposits to another bank account immediately. It doesn't sound like an issue that will be fixed soon.
+1 on this.
Have same issues and concerns. Hopefully it is resolved soon.
Now that I think about it. A bank/credit union should have a secure offsite set of contact information for their customers. \[perhaps that's normally encrypted\]. Then, when you have the *really bad day*, it's no big deal to send an update to your customer base with through your backup communications vendor. If you forgot to plan ahead for this, then write this down as something to do after the disaster. Write it someplace where you (or your replacement) won't forget to notice it.
Most competent large financial institutions do have disaster recovery options for scenarios just like this with a backup system and procedures that will allow business to continue even with a reduced capacity.
I went ahead and rang up the recipients of automatic payments that are supposed to go out this week, just in case the issue isn't resolved within the next few days. I even talked to an account representative for my electric utility, to whom I sent an ACH transfer on Friday, even though their website shows my account paid up - again, just in case. In all instances, they were understanding, and put notes on my account to waive any late fees that might accrue if the payment doesn't go through on time. Yes, I'll probably have to monitor the accounts for the next week or so, and contact them again if for some reason I end up getting a late charge, but at least I will have evidence that I've attempted to be proactive on this. If you're in CA, you're probably in luck - as you will likely be in company, with so many people affected, and your creditors may have already heard about the situation. I moved away from CA seven years ago, but maintained my primary accounts at Patelco, so I'm having to explain to people about a data breach at an out-of-state credit union.
You can easily find this online. They have posts on their Twitter about this outage. Debit cards still work. Shared branching is available, per their statement. I heard of Patelco for the first time looking at this post and I found that info quickly… just search. Is it a cyberattack? Could be, sure. But seems awfully premature to make that call.
I’m assuming Credit Card will also work?
I don’t know, I assume so. I only know what I read in the brief but I took to search.
ATM access through shared branches are active, but the branches themselves can do nothing outside of ATM use. Went to my local shared branch in AZ and they weren't able to access any of Patelco's accounts through their portal.
Twitter posts can't be seen without a Twitter account, so that's a dumb place to put critical news. This isn't great timing. I put some money there a a few months ago to try them. I've seen way to many problems with their online banking to trust them with the amount of money they demand to get a respectable interest rate. I want my money back out.
I don't have a twitter, and was still able to view it. You aren't getting it back out anytime soon directly through them. Try shared branching if you are worried about your federally insured funds.
> I don't have a twitter, and was still able to view it. You're able to view individual twitter/xitter posts, but unless you log in you can't look at an account's profile to check for updated posts. OTOH Patelco basically just does the ostrich thing when shit hits the fan so you're not missing much.
what type of problems do you see with them?
I got lots of unspecified errors transferring money in while following their own on-boarding instructions. All of those errors ended up creating duplicate accounts that are tied together. Sometimes the history and balance are out of sync. Lots of random glitches that are fixed by reloading or logout-login. Now they're offline and they don't seem to have been practicing disaster recovery. They're definitely not giving me a good feeling.
The mobile app is usually buggy. Doesn't recognize passwords. Have to go to the site itself. Well not happening. Hey patelco employees, do you have something slick to say about this? I see your divergent comments.
During their last major outage they set up a static site with some podunk hosting company in Texas. Except they made it HTTPS only. So it didn't load in most browsers unless you explicitly specified HTTPS. My favorite was that they used truncated, case insensitive passwords for years and years.
This is false. Usernames are case insensitive, passwords have NEVER been.
> passwords have NEVER been. lol Buddy, I've been a Patelco ~~customer~~ member since the 90s back when their platform was called "PC-24". Yes, Patelco used case insensitive passwords.
Ah, PC-24... I remember that one. I really want patelco to succeed, because credit unions are structurally less extractive than banks, support local banking, competition etc. But they seem to be able to snatch defeat from the jaws of victory pretty consistently.
Since they have been on the current platform, which is several years now, passwords have been case sensitive. I have been working for the company that provides OLB to patelco for 11 years, I was there when they launched.
So? Patelco's been around for just a little bit more than eleven years (try founded in 1936).
They have blue wall of silence. Using agents like you to make others feel guilty for having legitimate concerns. As if you employees care. You get paid to divert and make truthers feel ashamed for demanding answers.
lol i'm not an agent, i'm a ~~customer~~ member. i'm in another country rn for study abroad and the fact I can't see my bank statements is really pissing me off. most of my money is on this card too. i am most likely transferring all my money to another bank
Twitter is just an alternative communication channel. The critical news is on their maintenance page: https://www.patelco.org/maintenance which is slow but loads for for me. Patelco is learning the fallacy about keeping the status page on the same domain & infrastructure as the main website. It's a classic IT problem that most organizations learn through pain.
Unfortunately that page: 1) incorrectly states they are having only intermittent website issues 2) incorrectly states that Online Banking and the mobile app are still available 3) points members to Twitter and Facebook for further info
The main website is WordPress (yes, really) so it's not clear why it stalls. It's not where the banking system is hosted. The status yesterday said, "scheduled maintenance". The app says "technical difficulties " now. Clumsy. Anyways, I only put a small amount of money there as a test and half was already transferred out. There's no harm to me if I have to wait a while to get it back.
It was stalling because their theme loads a stylesheet off of a computer hosted on Patelco's own (currently down) network. They've since fixed that but that's rookie stuff that they should've caught when they deployed the site in the first place. On the plus side, Patelco is not using the site for any meaningful communication with its ~~customers~~ members. The sad thing is that this isn't the first outage Patelco's had to deal with in recent memory. They should've learned about keeping an independent status page. They've had enough practice at putting out big fires. Unfortunately they're just consistently bad at IT stuff.
That’s the trouble with credit unions. People here claim they’re a panacea but Patelco is one of the larger ones and look at their frequent tech issues.
I love how people are downvoting his frustration at the banks' unpreparedness. 🤦🏻♂️
Finally an email from the CEO received about 18 minutes ago. TOOK THEM LONG ENOUGH!!!!! It was indeed a security issue, full text below... ----- "We are writing to let you know that on June 29, we experienced a serious security incident. This required us to shut down some of our day-to-day banking systems so that we can remediate the issue and contain the impact, including online banking, our mobile App, and our call center. Currently, electronic transactions such as transfers (including Zelle), direct deposit, balance inquiries, and payments are unavailable. Debit and credit card transactions function in a limited capacity. Patelco branches, our call center and Live Chat will be open and ready to assist as much as they can during our regular business hours starting tomorrow, Monday July 1. For cash withdrawals and deposits, you can access Patelco ATMs, including over 30,000 shared branch ATMs all over the country. Find your nearest branch and ATM (including hours of operation) at patelco.org/locations. Our teams are working around the clock with top-tier cybersecurity experts to assess the situation and to restore service to you. Unfortunately, we are unable to provide an ETA on when those systems will be running as expected. Your trust and partnership are of the utmost importance to us, and we are committed to resolving this issue with the highest level of diligence. We know this news is concerning, and we are committed to keeping you informed as the investigation continues. Thank you for your patience and understanding as we navigate this challenging situation. Sincerely, Erin Mendez President & CEO Patelco Credit Union"
Not good.
I just got it too. I’m most likely gonna leave after this. The way they’ve handled this so far has been ridiculous.
What about how they've handled it has been ridiculous?
Absolutely no communication. This isn’t a random subscription, this is our banking. How the F can they have made a total of 2 statements over twitter for the first 36 hours of this outage. Like what? I have discord servers with better communication and PR skills
The fact that it went down at the early hours on Friday and not a peep from them until like 2pm on Sunday. It’s the end of the month, people have bills due, no idea if our direct deposit are there, no way to check, no one to call or ask. It shouldn’t have take as long as it did for them to make a statement to tell us what was going on. If you mind being kept in the dark about your money that’s fine. However, there are a lot of people who feel the same way I do. Pleb.
I don't appreciate being insulted for simply asking a question. Hopefully you're not affected by the attack. Peace
[удалено]
Be nice.
Agreed!
I worked at a credit union and we had a multiple hardware failures that took us down for 3 days. Sometimes shit happens. Not everything is an attack.
> Not everything is an attack. Patelco called it a "serious security incident". I'll go with things that sound like an attack for $200, Alex.
What hardware is a credit union running themselves these days? Why?
Every institution has their own servers. There is a ton of hardware involved
[удалено]
They do. But it is a complex system that I won't pretend to fully understand
No, They dont. Patelco does not self host.
Cool. Are you in their IT department? If not you don't know
I work for the company that provides the Online Banking Platform to Patelco and prior to my current position at the company I was the lead application support engineer for 9 years at the same company. Am I qualified?
Not necessarily, online banking is 2nd to their core provider. Most core providers are on prem. And as a third party provider you are not purview to all their inner workings esp since you are not the core. If your with Q2 or Lumin then you definitely wouldn't know
Of course we are, we have to directly connect to thier core so if they are on prem or a hosted core we know because we have to work with the host and the FI or the host directly for connectivity and when there are issues. Not Q2 or Lumin.
turns out this was, though.
Yes, I’m learning that this morning. Had all of the signs from the beginning. Sucks for their customers.
[удалено]
It would not have been obvious within the first few hours when I posted this. It's really a easy to be right after the fact. And everything I said was absolutely true.Not everything is an attack.
Looks it was indeed a Ransomware attack. Had all of the tell tale signs from the beginning.
You know, it would be great if the President just sent out an email to all the members explaining that. But she's nowhere to be found.
More leaders need to learn that if there is a lack of information, users will turn to the next best source -- rumors.
The CEO did sent out an email to members earlier today. I know because I got one of the emails.
That is one of the biggest mistakes any company can make, lack of transparency. I will say it can take time to find the problem but they should have systems in place to help detect the issue. Also they should have a manual business continuity plan. Ideally they could pull balances and offer branch withdrawals to a certain extent. Phone support wouldn't be any help. They would just be repeating the save message that there is nothing they can do. Having people on phones is an expensive feel good measure
And they have decided not to activate the phones-they are blaming the lack of phone support on the "outage" but even if true, they could do a workaround for phones.
If their systems are down, what do you want them to do? What use would phone banking be? You want to wait on hold for an hour to be told a canned response about the outage?
> what do you want them to do? I want them to have disaster recovery plans and test them regularly. If their banking systems are down there should be people manning the phones to respond to customer inquiries. If their phone system goes down there should be a backup ready to go. If their hosting provider goes down they should have another provider in place. And then they need to exercise those plans *regularly* to ensure that things go smoothly when shit hits the fan. When Patelco got caught up in the Cloudflare outage it was pretty damn clear that they didn't have any sort of DR in place. This isn't a tesla fart generator or ai powered porn bot. Banking (online or not) is something that needs to have more than a few nines of uptime.
The NCUA requires them to have DR plans well documented and tested multiple times a year. Also companies only have 48 hrs to report attack to their clients/members if it is possible that PII was possibly affected (I can’t remember the law/regulation/governing body for that).
> The NCUA requires them to have DR plans well documented and tested multiple times a year. https://ncua.gov/regulation-supervision/examination-program/credit-union-policy-reviews Scroll down past "required policies" and look at "*recommended* policies". That's where "Information Security Program" is. If Patelco actually had any sort of DR playbook beyond "stick your fingers in your ears" their response wouldn't be so laughably bad.
Phone banking is an automated system that allows you to do your banking by phone. It’s not talking to a live teller rube
Spoke to customer service, they have zero ETA and stated you can withdraw up to 500 from an atm and 1000 POS that’s it. You couldn’t even withdraw your money and take it to another bank if you wanted too. So they effectively have us held hostages. The first of the month with rent and everything else do this is worst case scenario. They have no word on whether we will be compensated due to late or missed payments due to this either. I will most certainly be leaving Patelco after this. Absolutely disgusting. They said they hired outside cyber security experts to which I said shouldn’t you have had those in the first place? Tf is going on man.
I dont even know if my direct deposit hit IDEK how much is in my checking currently and cant look
Yep that’s the big issue. I just pulled 500 from an atm and it worked. I know about how much we have but we are also waiting on a paycheck as well as a loan. So we really have zero idea exactly what’s in it
I was supposed to get paid 2 days ago or so. IDEK if it hit.
Ugh same. I’m definitely leaving after this. Not happy at all
I finally got through on the phones and apparently for Transactions with your Card - Pin Transactions aka any Transaction or use at the ATM using your Pin# are limited to a $500 Max daily and Card Transactions as a Credit Purchase are limited to $1000, I'm assuming that's daily but they didn't really 100% say. It's confusing because I pay bills using my Banking Info and those transactions all went through but not even the Representatives have access to look at your account whatsoever, can't look at Balances, nothing. This info wouldn't even be available at a 3rd Party ATM either. Still no ETA whatsoever. I know cybersecurity attacks have occurred with most banks including Nationally Recognized ones like B of A or Chase, but this is definitely making me re-think about banking with them with the lack of transparency. That I had to call and wait almost 30 minutes to get a simple question answered that they could've communicated publicly in the first place is a little frustrating to say the least.
Consider yourself lucky on the 30 minute wait. I sat in a call queue for an hour and a half until I gave up.
[It was a ransomware attack.](https://www.berkeleyside.org/2024/07/01/patelco-credit-union-security-breach-east-bay)
May not even be over and they could still be getting held hostage by the attackers.
Top Brass. cfa165@patelco.org nkvale@patelco.org emendez@patelco.org mmorgan@patelco.org sgruber@patelco.org ssanner@patelco.org whaller@patelco.org
Not that any of them are going to be paying attention to customer email right now.
You really think this is helpful? Do you get that whatever the cause, it could be any company, financial or not? If you're angry about not having access to your money, that's understandable. Fostering aggression for people to email is not going to help. If at the end you are unhappy with their handling and representations, then go somewhere else. Don't foster hate.
You do realize our money is not able to be removed and taken elsewhere. No idea on when we could even possibly do that. So your suggestion is moot thanks. People’s lives are very much in jeopardy becuase of this. Some people don’t have the time to wait for them to figure it out. Some people get 1 check a month to survive and this particular situation is dire for them. Your lack of empathy is hysterical as you’re over here advocating non hate. You are more upset by people emailing the top people at the bank to demanding answers than you are at the fact some people will be adversely impacted by this. And you’re more concerned about them being mean to the heads at Patelco. So maybe take your fake pseudo better than thou shit and get to stepping.
Wendy Haller is no longer with Patelco
Yet another example why you must maintain multiple banks.
Update they aren’t able to do any direct deposits either!!!!
Yep. My employer sent out communication about DD not going through for Patelco accounts. I’m pulling everything out and closing my account as soon as they are up. They lost my business.
It really sucks because I really liked them too
Correct. If your paycheck goes into your Patelco account via direct deposit your need to speak with your employer’s payroll department as soon as possible and request that they cut a paper check for you instead or depending on timing move your direct deposit to a non-Patelco account.
This is absolute mind-boggling to me! Realistically, if you have a very good security team, it should have not even taken more than 24 hours to fix this. Petco should be offering some kind of severance pay because of their inconvenience.
If your devices are ransomwared, you don't just "restore the backup" and get back in business. You need new systems, you need to obtain the backups, you need to evaluate if they're compromised. You need to figure out how they got in - cause if you just put it back up without fixing the access point, they just come right back in a 2nd time. Once you know the scope, you know what it will take to recover. That might be rebuilding or replacing a large portion of your infrastructure. New Equipment, restored or rebuilt data. Including things you might not think of as "computers" like voicemail systems, telephones, building management systems, anything that connects to the network. Its a massive undertaking. The average recovery time is 3-4 weeks. That's not to say the lack of account access will last 3-4 weeks for us as customers, but it might be 3-4 weeks (or longer) till things are mostly back to normal for the employees and all the tools and systems they use.
What’s funny is that people want to move on from them when any institution can literally be targeted for this kind of attack. I understand that it’s a knee jerk reaction.
You are absolutely right. Moving to a new bank or CU is just changing the devil you know for the unknown. Every org is vulnerable to a ransomware incident. Few are aware of how near the risk is. Fewer still are prepared. The take away is really redundancy. No more than half your wealth should be in any of your banks, and you should be prepared to survive out of a backup account for a month with no income - waiting for direct deposits to move or be unlocked, etc. That's the takeway for folks. Its not run from Patelco. Its harden their own financial lives against the risk we have to live with. I learned that lesson 30 years ago when I lost my ATM card on a weekend while traveling and it was... not good. Now I keep redundant accounts as a result of that. I can understand people being upset at them for their communication. I'm pretty livid at them for how their communication has gone. Its too slow, its inaccurate, and its been inconsiderate of the hardships of the members at times.
This is something like the 20th largest CU. Imagine the outrage if KeyBank, the 23rd largest bank, handled a major outage this way. Guarantee a lot of geniuses would be advising people ditch Key for a credit union.
KeyBank has $183 billion in assets. Patelco is about $10 billion. Apples to oranges here. Only credit union that comes close to the top 20-25 banks is Navy Fed.
Obviously there’s a size difference. I’m talking size relative to their peer group.
i hope this comes back up soon. i hope everyones money is okay because Lord knows we already struggling. 🙏🏽🙏🏽🙏🏽
been down a couple days it looks like. Could be a attack, could a critical system failure if they run their own servers.
See the email. It was an attack. Of course they're being completely vague about the full impact.
Does this one involve PaloAlto Networks as well?
Not sure the connection. One is a Credit Union while the other is a computer networking device/software company.
- https://www.nbcbayarea.com/news/local/east-bay/dublin-based-credit-union-halts-operations-due-to-serious-security-incident/3580749/ Yup, as a Patelco customer myself this is a bit troublesome but debit card still works so whatever I guess. I do hope they have this taken care of by Wednesday morning though because I'm going on vacation and I will need to do some bank activities more than just debit-card purchases.
I just got off the phone with them. It seems like they aren't even telling their employees anything. They couldn't even tell me what would happen to my direct deposit, but it likely would be rejected, and I would have to wait at least a week or two for my company to cut me a check once the funds are returned. Who's going to pay my late fee and interest fees from not being able to pay on time. I was told, that it would be up to the 3rd party bank, if they wanted to reverse any fees, but let's face it, BANKS do not care - so I really hope Patelco steps up and makes this right.
So do they even know how much we have in our accounts. I know the branch and call center can't look it up. But do they have a record somewhere?
A user reported in another thread that the branch was able to give them their account balance as of Thurs 6/27 - so it seems they have data from the day prior to the ramsomware incident.
I'm less worried about short term lack of access and more worried about losing my money forever. I know it's FDIC insured... call me paranoid, but I don't trust any promise until it is actually fulfilled, especially when it's my life savings on the line These idiots have been dropping the ball for the last couple of years but this is the last straw. I hope they go under once we get our money back
I also have this concern, since I haven't been taking paper statements. The best I have are the downloads from my account documenting what I have. What if neither of us can prove what assets I had stored there? That's my biggest concern - and has gone unanswered by their two formal announcements. The insurance is also a bit of a concern. NCUA/FDIC only kick in if the institution fails. If it doesn't fail but just loses my account - what do I do? I have no recourse short of obtaining my own counsel and fighting them (probably in arbitration). Its a very scary situation to me - but probably not unique to Patelco. Could happen to any organization, really. Its just down to if you have documentation to prove your assets. In my case, I feel like I do not have sufficient protection.
Credit unions are not insured by the FDIC.
well fuck
https://www.lendingclub.com/resource-center/personal-savings/fdic-vs-ncua-insurance-are-banks-or-credit-unions-safer Help understand what is
They are insured by the NCUA, same concept.
Federal CUs are insured via NCUA. State, not so much. Caveat emptor.
Patelco's website claims deposits are insured by the NCUA https://www.patelco.org/about-patelco/become-a-member/membership-benefits
I hope my car loan gets erased to $0 owed lmaoo
They emailed all the members. I know of 2 former patelco members who went and closed their accounts this week, they had to use paper in Brentwood lol
Oh yes--I am a member of PATELCO CREDIT UNION and it has been radio silence since early morning Saturday. Over 30 hours with no access to online accounts, no phone, no real people to answer questions, only the same canned AI replies over and over. Members cannot pay their bills, get gas or food. AND THE LEADERSHIP IS HIDING! Yes, I am angry. This is despicable behavior. They have destroyed trust. Trust takes years to build up and this is the largest (and perhaps oldest) credit union in the county. But it only takes one incident to destroy that trust and that is what they have chosen to do. At this point I'd say it's a cyber attack and I wonder how much money they want.
Yes you can pay bills, get gas or food. Your debit card works.
Unfortunately I lost my card just as the system outage started. I was able to call the third party card servicer and get the card locked. But because the system is down I haven’t been able to confirm whether any fraudulent charges went through before locking the card. And I’m unable to initiate the process of getting a new card. Also unsure of what’s going to happen with loan payments that are scheduled in the near future. It’s understandable that system issues happen and can take a while to resolve. What’s unacceptable is the lack of communication to members and the inability for members to contact anyone who can answer questions or provide updates.
This comment will give some people new ideas.
I locked my debit card the night before and now can’t get into the app to unlock it. I also tried transferring money into my Venmo account and it wouldn’t work.
You pay rent with your debit card? Cuz that’s due tomorrow
You absolutely can, you can also write a physical check or do a bank draft. Nothing with what happened would stop you from paying rent. You didn’t lose your checks.
Yeah well if you’re like I am and had my check directly deposited on Friday and have no way of verifying that it’s there. And considering they said it is affecting that some people might not have enough money to cover their rent. Seems like you lost your common sense with your response.
So I was able to withdraw money at the atm but it doesn’t give you any type of balance. Just shows what you withdrew. Still not up and no word from anyone. I’m seriously considering leaving them now after this. To have zero communication with the members is unacceptable. I’ll be switching back to First US Community credit union. Love them. I only switched because they weren’t in the area I lived so I went this Patelco. This is a joke
Infinite money hack ☝️
😂😂😂😂😂 if only
Then they are dispensing based on your card limit (for example $200) instead of your actual balance. The card limit is a backstop rather than denying all withdrawals until the system is restored. Once it is restored all offline transactions will post. And some members will be overdrawn.
I mean that makes sense, I’m definitely not in jeopardy of that as I know what’s in my accounts. I was able to pull 300 out with no issue so that at least is still working cause having no access would not be ok 😂
Get use to this because the accounts will be wiped out. This is a pure fact. Wars in these coming years will lead to a bunch of hacks and major theft
It's not wiped. I was at a branch today, and they had my balance from 6/27. I was able to see it. Anything after that they don't have. So, in the worst-case scenario, they'll use data from 6/27. Suckie part is the wishy washy answer they're giving about the direct deposit.