What Happened
On September 1, 2025, MetroWest Community Federal Credit Union discovered a data breach after receiving alerts about suspicious activity on its systems; an unauthorized party had accessed and copied files on September 3, 2025, exposing personally identifiable information of at least 7,573 residents in Massachusetts and 65 in Rhode Island. The Akira ransomware group claimed responsibility for the attack, which used both data encryption and theft tactics, and publicized the breach on the Tor network on October 25, 2025. The compromised data included names, addresses, telephone numbers, Social Security numbers, full financial account numbers, debit card numbers, driver’s license numbers, and client documents such as driver’s licenses, birth and death certificates, and financial records. The credit union disclosed the breach to the Massachusetts and Vermont Attorney Generals’ offices on December 29, 2025, notified affected individuals by mail, and is offering complimentary 24-month access to Experian IdentityWorks identity protection services.
