Connex Credit Union, a Connecticut-based financial cooperative, confirmed a data breach affecting approximately 172,000 customers after detecting unusual network activity on June 3, 2025, leading to the theft of sensitive files by an unauthorized third party.
The incident, confirmed through a filing with the Office of the Maine Attorney General and data breach notification letters sent to affected individuals, indicated that an unauthorized third party had exfiltrated sensitive files from the credit union’s network on June 2, 2025. Following an investigation that spanned nearly a month, Connex Credit Union determined the stolen data encompassed sensitive personal information. This included individuals’ names, account numbers, debit card information, Social Security numbers (SSN), and other forms of government identification details necessary for opening an account with the institution.
Despite the extensive data exposure, Connex Credit Union has stated, “Connex has no reason to believe the incident involved unauthorized access to member accounts or funds.” The credit union subsequently announced measures to enhance its cybersecurity posture and is providing affected individuals with 12 months of complimentary credit and identity theft protection services. These services are being offered through Cyberscout, a designated service provider.
Connex Credit Union operates as a member-owned financial cooperative and is recognized as one of Connecticut’s largest credit unions. It serves over 70,000 members and manages more than $1 billion in assets. Concurrently with the breach notification, the San Francisco-based law firm Schubert Jonckheer & Kolbe initiated an investigation into Connex Credit Union. The firm is examining whether the credit union delayed notification to its customers following the breach.
Schubert Jonckheer & Kolbe stated in a press release that while the breach occurred in June 2025, Connex Credit Union “did not begin notifying affected individuals until or around August 7, 2025.” This timeline is being scrutinized for potential violations of state and federal laws. In the State of Connecticut, the regulatory requirement for data breach notification mandates action “without reasonable delay, but no later than 60 days after discovery of the breach,” unless federal law stipulates a shorter timeframe.
The stolen data, which includes a range of personal identifiers, presents avenues for cybercriminals to exploit victims. Potential abuses include the creation of new accounts with financial and government institutions, which could facilitate schemes such as wire fraud and tax evasion. Additionally, the stolen information could be leveraged for spear-phishing attacks, designed to deploy malware, or even ransomware, against the affected individuals. To mitigate risks, individuals are advised to exercise caution when encountering unsolicited communications and to diligently monitor their bank statements for any suspicious activity.
