WASHINGTON -- Credit unions and other financial institutions cannot and should not treat all data security breaches as the same or as having the same risk, according to Bruce Hansen, CEO of ID Analytics, a data security firm.
Speaking to summit attendees, Hansen described the company's research, tracking 58 data security breaches, four of them "very high profile," and its findings that, in general, most of the breaches do not lead to fraud.
It is possible to characterize the higher risk breaches, Hansen said. Targeted breaches, where it appears that the breach was brought about by a criminal organization with a plan of how to get it and how to use it are the highest risk, but breaches where there is merely a hacker attack or a data tape falls off a truck are relatively low risk, with an incident of fraud of as low in 1 in 1,000.
Counter intuitively it is often the largest breaches which are the lowest risk since, Hansen said, the size of the files and the amount of information involved which precludes the criminals being able to get at and effectively use individual account data.
Financial institutions that face breaches, which appear to be hatched by criminal elements intent on finding and using card data, should be considered strong candidates for closing and reissuing cards. But card security breaches which are accidental or where there is no evidence of the sort of criminal planning necessary should not be considered as high a risk, Hansen said. --dmorrison@cutimes.com
