FRESNO, Calif. — Educational Employees Credit Union has become the latest CU to disclose a data breach that exposed sensitive personal information after an unauthorized party gained access to an employee email account, according to a filing with the Texas Attorney General’s Office.
The $5.3-billion EECU is one of numerous credit unions that have confirmed data breaches in recent months.
According to the filing, the credit union identified the intrusion on Dec. 15, 2025. An investigation determined that emails may have been accessed or extracted by an unauthorized party on the same day the incident was detected. A subsequent review of the affected email account concluded on May 8, 2026, that certain emails contained personal information.
What Information Was Compromised
The filing states that information potentially compromised in the breach included names, addresses, Social Security numbers, driver’s license numbers and financial information.
Educational Employees Credit Union reported the incident to the Texas Attorney General as required under the state’s data breach notification law, which mandates reporting when a breach affects 250 or more Texas residents.
The credit union did not identify the number of individuals affected in the information reviewed for this report. The Texas Attorney General’s breach database notes that details contained in breach reports may be updated after publication. EECU has more than 400,000 members.
According to notices cited in reports based on the attorney general filing, the breach involved unauthorized access to a single employee email account.
The filing indicates the review of the impacted account took nearly five months, from the date of the intrusion’s discovery in December until investigators determined in May that personal information was contained within the affected emails.
No Indication if Information Has Been Misused
No information regarding the identity of the unauthorized party or the method used to gain access was disclosed in the filing. The filing also did not indicate whether the credit union had identified any misuse of affected information.
