Priority One CU Reacts After it Exposes Critical Member Data in Mailing
SOUTH PASADENA, Calif. -- Talk about seeing the silver lining.
Charles R. Wiggington Sr., the CEO/president of Priority One Credit Union, says he's seen some good coming out of the inadvertent mass mailing to members that included Social Security and account numbers printed on the envelopes.
"This is embarrassing, of course, but it's also had one good result," Wiggington says of the April 23 mailing. "It's heightened our awareness in general, for everyone. Now our employees are asking for IDs, mothers' maiden names, you name it. They've really gotten into thinking about members' security."
Six weeks after the 21,000 letters were mailed out, no accounts have been compromised and few members have taken the credit union up on its offer of a year's worth of free credit report monitoring from Equifax, the CU's president and CEO says.
Very few also have asked for a new account
number, which the credit union also offered, Wiggington says.
The letters went out on April 23 and contained ballots for an upcoming election for the $172 million CU's board. A mail house and auditing error resulted in the numbers being printed on the envelopes, although they were without dashes and not easily discernible as Social
Security and account numbers, Wiggington says.
A letter from Wiggington to members describing the mistake and the credit union's response--including increased vigilance around member account activity--was posted on its Web site at www.priorityonecu.org for 30 days, Wiggington says.
Wiggington says the credit union was alerted as soon as the mailings went out, and that "we got a flood of calls," but waited a couple days before alerting its membership and announcing relief measures.
"We wanted to give the post office a chance to get all the letters delivered," he says. "We didn't want to get the word out while some were still in the mail."
In fact, about 65% of the credit union's membership is postal workers, and part of Wiggington's response was to go to the main post office in South Los Angeles, where officials "put me on video tape and left it up on a big screen for a week to tell all our members there that they had nothing to worry about."
In addition to checking with its attorneys and regulators to ensure compliance in the wake of the mailing, Wiggington says "we'll be using a different mailing firm and auditors, and there'll be more checks and balances in place."
The situation got some publicity in a May 29 blog by a widely read technology writer for PC World, Steve Bass, who was one of the credit union's members who received the letter. Bass decries the error as a "security breach that was stunning" and says, "I'm watching my credit union account like a hawk."
He also writes, "I think it ought to be a law that any agency guilty of a security breach should be forced to make a one-year commitment to help if the person becomes a victim of identity theft."
Wiggington, who became the president/CEO in January after 16 years with the CU, says the organization is now talking to several vendors of identity theft prevention and relief programs, which he says would be an offering members can adopt for a fee.
He says the credit union also is considering working with its core processor, XP Systems, to put PIN pads at every teller station and require members to swipe their ATM or VISA check cards to make
"That's just another layer of security we can add," Wiggington says. "Unfortunately, you don't think of a lot of these things until something happens."