Heartland Breach Damage Hits CUs, Challenges Smaller Ones
According to media sources and card issuers, financial institutions around the country are feeling the pangs from the breach, but insurance and other executives say the amounts are hard to quantify.
Credit unions and other financial institutions around the country are beginning to suffer losses. One Web site that tracks banking security issues has collected the names of over 220 financial institutions that have claimed losses, but it's hard to tell, so far, how many losses there are on a national basis. To date, neither Heartland nor Visa nor MasterCard have verified how many cards or card issuers were compromised.
"It's too early to determine with any degree of certainty the magnitude of the breach in terms of numbers of credit unions or loss figures," according to CUNA Mutual spokesman Phil Tschudy. "What makes this one more difficult to assess is that Heartland is a merchant processor with 250,000 customers. So the fraud is spread out, unlike a retail breach where it's a little easier to determine the origin of fraud."
Heartland's reach, and therefore its breach, is wide. "Almost the only way a bank is not going to see damage from this is if they don't issue cards or issue very few," said one federal law enforcement official, who spoke on the condition of anonymity.
For credit unions with staff dedicated to managing their card portfolios, dealing with the breach losses has meant a lot of trouble, executives said. Credit unions with smaller staffs have found dealing with the aftermath of the data breach extremely challenging.
In one example, the $13 million Healthfirst Credit Union, headquartered in Waterville Maine, with two branches and a full-time staff of eight, has no one employee dedicated to its card programs. As of Feb. 13, the CU has suffered losses to roughly 800 cards, the vast majority of them debit cards, according to Lynda Quirion, who identified herself as one of the eight employees. This equates to 57% of the credit union's total cards.
"It is our policy to contact all members when we have to close a card and reissue it," Quirion said, "and now that means over 800 people while we are trying to work with other members to meet their other needs."
Quirion explained that the CU had not gotten a heads up about the breach and first discovered something was wrong when a member contacted the credit union about money being taken from an account in mid-January.
Total fraud losses to the CU's members, as of Feb. 13, ranged between $70,000 and $80,000, Quirion said.
"It's really very scary," Quirion said. "We have had breaches before, but this is the biggest one so far, and it is starting to feel like we are getting one big one every year. I have stopped using my debit card, it just feels too risky."
Quirion reported that most of the fraudulent charges had originated in Florida and Texas, which made sense after an announcement from law enforcement officials in Tallahassee, Fla., that they arrested and charged three men with using data compromised in the Heartland breach.
The police alleged that the three men used the stolen information to encode Visa-branded gift cards and then used those gift cards to commit fraud at area Wal-Mart stores.
However, law enforcement officials working close to the case said it was unlikely that the three were responsible for hacking Heartland's systems. It is more likely that they purchased the card numbers to use in their scheme, an official, who wished to remain anonymous, said.
So far, the investigation has uncovered more than $100,000 in fraud in this incident, the police have said. Federal law enforcement authorities would not comment on how many similar teams or individuals there might be around the country.
Meanwhile, even though the biggest data breach ever is unlikely to bring any new direct card innovations, such as implanting a chip in a card and requiring a separate personal identification number, it is prodding innovation in the way card breaches are managed.
In January, CUNA Mutual Group and Fidelity National Information Systems announced a joint innovation to help credit unions covered by CUNA Mutual's card insurance more efficiently submit card fraud claims, which CUNA Mutual plans to roll out to card processing CUSOs as well.
Now, Dynamic Card Solutions announced an instant card issuing technology and have begun deploying it specifically to help their institutions manage the reissuing of cards.
One, the $570 million United Heritage Credit Union, headquartered in Austin, Texas, has started offering members whose cards have been reissued the option of securing a new card at their branch in relatively little time. Of the roughly 1,000 card accounts that the CU has had to close and reissue so far because of the breach, more than 60% of the members have opted to get their new cards issued through the branch.