Connex Credit Union, a Connecticut-based financial cooperative, has confirmed a significant data breach affecting approximately 172,000 customers, with sensitive personal and financial information stolen by an unauthorized third party.
According to the credit union’s letter, “unusual activity” was detected on its network on June 3, 2025. A subsequent investigation revealed that an unauthorized third party had stolen sensitive files the day prior, on June 2, 2025. After nearly a month of investigation, Connex determined that the stolen data included customers’ names, account numbers, debit card information, Social Security numbers (SSN), and other government identification information typically required to open an account.
Despite the extensive data theft, Connex Credit Union stated, “Connex has no reason to believe the incident involved unauthorized access to member accounts or funds.” The credit union has announced it is enhancing its cybersecurity measures and is offering 12 months of complimentary credit and identity theft protection services through Cyberscout to affected individuals.
Connex Credit Union is one of Connecticut’s largest credit unions, serving over 70,000 members and managing more than $1 billion in assets.
The incident has also drawn the attention of a San Francisco-based law firm, Schubert Jonckheer & Kolbe, which is reportedly investigating the credit union for potential delays in notifying its customers. The law firm’s press release stated that while the breach occurred in June 2025, Connex “did not begin notifying affected individuals until or around August 7, 2025, which may have violated state and federal laws.” In Connecticut, the standard notification deadline for data breaches is “without reasonable delay, but no later than 60 days after discovery of the breach,” unless federal law mandates a shorter period.
The stolen data poses various risks to affected individuals. Cybercriminals could potentially use the information to create fraudulent accounts with financial and government institutions, engage in wire fraud, or conduct tax evasion schemes. Furthermore, the data could be exploited for spear-phishing attacks aimed at deploying malware or ransomware against victims.
To mitigate potential risks, users are advised to exercise caution when receiving unsolicited communications and to diligently monitor their bank statements for any suspicious activity.
