The California Office of the Attorney General disclosed on July 25, 2022, that BECU suffered a vendor network security breach on June 6, 2022, compromising sensitive personal information. The exposed data included names, addresses, account numbers, credit scores, and Social Security numbers of affected individuals. The breach stemmed from a third-party vendor’s security failure, prompting BECU to immediately suspend services with the vendor to mitigate further risk. While the exact number of impacted individuals was not specified in the report, the nature of the leaked data—particularly Social Security numbers and financial details—poses significant risks for identity theft, financial fraud, and long-term reputational harm. BECU likely initiated notifications to affected members and regulatory bodies, though the article does not detail additional remediation steps like credit monitoring or legal actions against the vendor. The incident underscores vulnerabilities in supply chain cybersecurity, where third-party breaches can expose core customer data held by financial institutions.

The Washington State Office of the Attorney General reported a data breach involving Boeing Employees' Credit Union (BECU) on May 26, 2022. The breach, which involved ATM skimming, occurred between March 26, 2022, and April 2, 2022, affecting 720 BECU members, among whom 717 are Washington state residents. Compromised information may include names, card numbers, CVV codes, PINs, and card expiration dates.

On December 27, 2021, Boeing Employees' Credit Union (BECU) experienced a system-generated error that led to a data breach, as reported by the Washington State Office of the Attorney General on January 21, 2022. The incident compromised the personal and financial information of 2,187 individuals, including their names and financial details. The breach was not attributed to an external cyber attack or malicious actor but rather an internal system failure. However, the exposure of financial data—such as bank-related information—poses significant risks, including potential fraud, identity theft, or unauthorized financial transactions. While the breach did not involve ransomware or a deliberate hack, the leak of sensitive employee financial records aligns with scenarios where internal data mismanagement leads to severe reputational and operational consequences. BECU, as a financial institution, holds a responsibility to safeguard such data, and the incident underscores vulnerabilities in internal data handling protocols. The affected individuals may face long-term financial monitoring burdens, and the institution could encounter regulatory scrutiny or loss of trust among members.

The Washington State Office of the Attorney General reported a data breach involving Boeing Employees' Credit Union (BECU) on November 22, 2021. The breach, which occurred between October 9, 2021, and October 15, 2021, involved the installation of skimming devices on ATMs and affected approximately 657 BECU members, exposing their names and financial information.

The Washington State Office of the Attorney General disclosed a data breach targeting Boeing Employees' Credit Union (BECU) in July 2020, originating from a cyberattack involving skimmers that began on April 1, 2020. The incident compromised sensitive financial data of 4,883 members, including names, card numbers, CVV codes, PINs, and expiration dates. Such exposed information poses significant risks of fraudulent transactions, identity theft, and unauthorized account access, directly impacting members' financial security. The breach was executed through malicious skimming devices or digital skimming techniques, likely deployed on payment systems or online portals. While the attack did not involve ransomware or large-scale systemic disruption, the theft of payment card details—especially PINs and CVVs—elevates the severity due to the potential for immediate financial exploitation. The breach underscores vulnerabilities in transactional security protocols and highlights the need for robust fraud detection and customer notification mechanisms to mitigate downstream risks like phishing or secondary fraud attempts.