Texas Dow Employees Credit Union was one of several dozen financial institutions affected by last year’s MoveIt cybersecurity breach, the credit union announced Monday.

The Lake Jackson, Texas-based credit union’s public acknowledgement adds it to a long list more than a year after the breach, which has affected more than 95 million individuals and 2,700 organizations, according to anti-virus firm Emsisoft’s most recent tally from public disclosures and securities filings.

On May 27, 2023, ransomware gang cl0p began its exploitation of an issue within secure file transfer program MoveIt; and MoveIt parent company Progress Software fixed the problem and notified customers within days.

But TDECU didn’t learn that its members were affected by the breach until last month, according to a letter to customers and a notification to Maine’s attorney general.

The notification to Maine’s AG claims that 500,474 people were affected by TDECU’s breach, much higher than the 386,000 members the credit union has, according to its website.

An internal investigation revealed that certain files containing personal information of TDECU members were removed by cl0p members between May 29 and 31, 2023.

“That analysis was completed this month and that was when we immediately sent notification letters to potentially affected individuals,” a TDECU spokesperson wrote in an email to Banking Dive.

According to the credit union, impacted data includes full names in combination with date of birth, Social Security number, bank or financial account number, credit and debit card number, driver's license or government ID and Taxpayer Identification Number.

It was not the only organization to find out later that it was affected by the breach. In October, Fiserv notified customers that it had fallen victim to the May attack, at which point Flagstar Bank found out it, too, was a victim – due to its relationship with Fiserv. Flagstar was not a client of MoveIt.

TDECU announced in April its intention to purchase Sabine State Bank and Trust, a bank based in Many, Louisiana. A TDECU spokesperson said the incident is not expected to affect its acquisition of Sabine, “which is still on track to be completed in early 2025.”

That is not always the case. Mike Manske, director of strategic advisor West Monroe’s cybersecurity practice, told Banking Dive that cybersecurity issues “present significant risks to bank M&A deals, with the potential to impact deal valuation, regulatory approval, integration processes, and overall transaction success.”

“A breach can lead to substantial financial losses from regulatory fines, legal fees, and remediation costs, often forcing buyers to reconsider deal terms or, in extreme cases, causing deals to fall through entirely,” he said. “Additionally, potential liabilities and compliance risks from data breaches may reduce the overall value of the acquisition, while the reputational damage can erode customer trust and compromise both the target and acquiring bank's market position.”

Sabine State Bank and its state regulator, the Louisiana Office of Financial Institutions, did not return requests for comment. Neither did the National Credit Union Administration