Boeing Employees’ Credit Union Announces Third-Party Data Breach Following Incident at Printing Vendor

Console and Associates, P.C.

On July 25, 2022, Boeing Employees’ Credit Union (“BECU”) filed an official notice of a data breach with various government entities after the company learned of a network security incident at a third-party vendor affecting BECU customers. According to the BECU, the breach resulted in the names, addresses, account numbers, credit scores, and Social Security numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, Boeing Employees’ Credit Union began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Boeing Employees’ Credit Union data breach, please see our recent piece on the topic here.

What We Know About the Boeing Employees’ Credit Union Data Breach

The information about the Boeing Employees’ Credit Union data breach comes from the letter the company sent to customers who were affected by the incident. According to the most recent information, on June 6, 2022, BECU became aware that the company’s printing vendor experienced a network security incident. In response, BECU immediately terminated the services of the third-party vendor, which remains unnamed at this point. Subsequently, the vendor informed BECU that the information belonging to some members was leaked.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Boeing Employees’ Credit Union worked with an independent data forensics firm to determine what information was compromised and which members were impacted by the incident. While the breached information varies depending on the individual, it may include your name, address, account numbers, credit score, and Social Security number.

On July 25, 2022, Boeing Employees’ Credit Union sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About Boeing Employees’ Credit Union

Founded in 1935, Boeing Employees’ Credit Union is a credit union located in Tukwila, Washington. BECU was originally created to serve employees of Boeing but has since opened up membership to employees of Boeing, employees of credit unions, Washington residents, and members of certain partner organizations (including the University of Washington Alumni Association and Washington State University Alumni Association). BECU operates more than 50 locations around Puget Sound, Spokane and in South Carolina. Boeing Employees’ Credit Union employs more than 2,485 people and generates approximately $936 million in annual revenue.

What Is a Third-Party Data Breach?

Many data breaches involve information that a consumer directly gave to a company being compromised when a hacker breaches the company’s computer system. However, in a third-party data breach, the company that the consumer gave their information to was not the hacker’s target. Instead, the hacker targeted a company—usually a vendor—of the company that accepted the consumer’s information. The BECU data breach is a good example of a third-party data breach because there is no evidence that there was any breach of BECU’s systems.

Given the fact that companies are becoming more specialized and outsourcing a greater percentage of tasks, third-party data breaches are becoming much more common. By some estimates, upwards of 74 percent of all credit card breaches were linked to problems with third-party vendors. Indeed, some of the largest breaches of 2022 have been third-party data breaches.

Third-party data breaches are more complex than traditional data breaches when it comes to determining which party bears responsibility for the incident. Naturally, when looking for a responsible party, most consumers look to the company they gave their information to. However, proving a company was negligent in selecting a certain vendor is often an uphill battle. To prove a data breach claim in this situation, a consumer would have to show that the company knew or had reason to know that the third-party vendor wasn’t up to the task of safely storing data.

However, data breach victims can also bring a claim against the third-party vendor whose systems were hacked. Regardless of a company’s relationship with a consumer, including if there is no customer relationship at all, any organization that maintains consumer data owes a duty to the consumer to protect their information. Thus, if a third-party vendor you’d never heard of is responsible for a breach, there is nothing preventing you from pursuing a claim against that company. In fact, that may be your only means of recourse.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide