Hackers compromise hundreds of Quincy Credit Union accounts

Denys Prykhodov/Photographer: Denys Prykhodov

Customers of Quincy Credit Union were without ATM and debit card access for much of Sunday, as the financial institution scrambled to shore up security after a breach allowed hackers to steal from accounts.

Stewart Steele, the credit union’s chief executive, believes at least 670 accounts were compromised in an ATM skimming scheme. The practice generally uses a device attached to a cash machine to steal account information from users’ cards.

The information was likely taken during the first weekend of December, he said, but the scam only became apparent in recent days, when credit union customers reported unauthorized withdrawals from the New York area.


Steele said all affected customers will be reimbursed.

After an hours-long shutdown of ATM and debit activity — as well as a separate glitch that limited online account access — the institution said that all of its services were working by 6 p.m.

“We are tremendously sorry for any inconvenience this has caused,” Steele said.

John Shea, 56, of Quincy, said his daughter was among the victims of the data breach. She discovered the problem on Sunday.

“She called me and she was upset. ... She went to use her ATM card this morning and it wouldn’t work,” he said. Then, she logged into her online account and saw that someone in Manhattan had withdrawn $500 without her permission.

The money had been taken on Christmas Eve.

“She called the credit union and then went online and saw that it happened to a lot of other people,” he said.

Shea said the family is frustrated by the theft.

“It seems like a major breach,” he said. “They should have been on top of this.”

Quincy Credit Union officials are asking customers to review their accounts to see if there’s been any fraudulent activity.


The Quincy Credit Union website directs customers who suspect fraud on their debit card to call 617-479-5558 extension 121, or send an e-mail using a form on their website, www.qcu.org .

It’s not yet clear how much money has been taken in the scam, Steele said.

“We haven’t completed our investigation yet,’’ said Steele. “We don’t know the full extent of it yet.”

Steele said he did not have an estimate of the number of account holders who were without ATM and debit services Sunday. He said the shutdown began around lunchtime.

According to its website, Quincy Credit Union was founded 78 years ago and serves people who live or work in Norfolk County, Plymouth County, and Dorchester.

Throughout the afternoon Sunday, people posted comments on social media, complaining that money was missing from their accounts and that their cards were not working.

Steele brought in a team of people to make phone calls to customers affected by the breach.

“We are assuring our members that they are not going to incur any losses at all on any fraudulent activity in their account,” said Steele.

He said he will notify Attorney General Maura Healey, the state Division of Banks, the National Credit Union Administration, and other appropriate agencies about the data breach.

Quincy police referred questions about the scam to the credit union. The National Credit Union Administration, which regulates the credit union, could not be reached for comment.

Emily Sweeney can be reached at esweeney@globe.com. Follow her on Twitter @emilysweeney.