Dover Federal Credit Union recently sent a letter warning customers an employee transferred DFCU files to the employee's personal Dropbox account. “Please know that this is not a breach and we do not believe that the information was misused or compromised,” DFCU director of marketing Deb Jewell said via email, regarding a cautionary letter the credit union mailed to customers Dec. 22.

Dover Federal Credit Union recently sent a letter warning customers an employee transferred DFCU files to the employee’s personal Dropbox account. A DFCU representative told the Dover Post it wasn't a breach.

Dropbox is a popular website that allows people to store digital files such as photos, movies, documents and more. The company has 500 million account users from around the world.

“Please know that this is not a breach and we do not believe that the information was misused or compromised,” DFCU director of marketing Deb Jewell said via email, regarding a cautionary letter the credit union mailed to customers Dec. 22.

“Because it was uploaded to Dropbox, we sent this notification out of an abundance of caution.”

What's in the letter?

The letter stated: “DFCU learned in late September 2016 that an employee transferred DFCU files to the employee’s personal Dropbox account to access the information from the employee’s home computer for business purposes.

“DFCU hired a computer forensic firm to help investigate the incident. The investigation determined that it was unlikely that any information was accessed by any unauthorized person. The employee was the only authorized user of the Dropbox account and did not provide the Dropbox credentials to any other individual.

“DFCU determined on November 23, 2016, that the files transferred to the employee’s Dropbox account included personal information of DFCU members. The information included the names, addresses, DFCU account numbers, and Social Security numbers of members.”

Jewell would not say whether the employee is still with the company.

A representative of the Cooperative Credit Union Association – a trade group representing credit unions in Massachusetts, New Hampshire, Rhode Island, and Delaware – said it was hard to say whether it's possible DFCU accounts could become compromised in the future, since private customer information was transferred to a personal Dropbox.

“I don't know,” said CCUA director of communications Carole Langiu. “I would have to go with the judgment and experience of the [forensic] experts.”

Customer concern

The attorney general's office won't get involved with the incident because the Department of Justice doesn’t regulate credit unions, said AG office spokesman Carl Kanefsky.

A former DFCU customer told the Dover Post he was surprised to receive the letter, since he stopped being a member about four years ago. He's now skeptical whether his information is safe from hackers, since he didn't know the credit union still hasn't deleted his account.

Jewell said DFCU has received requests from customers to have account information deleted immediately from their system. However, at the moment it's not possible.

“At this time, our accounts have safety features and anti-fraud features built into them and do not allow us to simply delete an account without going through the purge process,” Jewell said via email. “We are assessing options and federal requirements for data retention and are hoping to remove all the data we are legally able to before the end of the March this year. Ideally, much sooner than this, but we are working on the process and testing it thoroughly.”

Jewell said the credit union has put measures in place to prevent similar incidents from happening.

“We have instituted stronger security programs and continue to enhance this,” she said. “We have revised our training and policies and reeducated team members.”