Many Lessons Can Be Learned From the Heartland Data Breach
As processors, we are constantly monitoring authorization activity to protect our clients from fraud loss. The Heartland data breach only strengthened our resolve to remain vigilant in our efforts to deter the thieves at every possible moment. For example, our 24/7 monitoring of transaction and testing activity coupled with the sharing of our fraud intelligence helped the industry to identify the Heartland breach and ultimately stop the theft of data.
For credit unions, the breach reinforced the critical nature of a compromise mitigation plan. It was clear from the credit unions we talked with in the wake of the announcement of the breach that those prepared to manage this type of risk were much more in control than those that were not prepared. A compromise mitigation plan can be simple, but it needs to address a number of factors.
The challenge with a compromise is that there is never enough timely information available to enable a credit union to make perfect decisions. Unless a merchant has gone public regarding the breach and the investigation is complete, we are heavily reliant on the associations to provide information. With most major breaches, information is fluid and constantly evolving. This means that credit unions and processors must be prepared to make expedited decisions based on what they know at that point and move forward.
Determining your credit union's level of risk will include understanding the number of accounts affected and the type of data at risk. Credit unions also need to know the timeframe of the breach to determine when cards were at risk, as well as the percentage of those accounts that are still open and if cards have been reissued since the breach.
Because the decision about what to do is up to the credit union, a well thought out plan is invaluable. Processors should be able to advise credit unions on the options available to them and make recommendations based on existing circumstances and portfolio characteristics.
In the case of the Heartland breach, our client credit unions generally chose to reissue their cards, which in retrospect was a wise decision. Because most of the cards involved in that breach were active, and the way the data was compromised, reissuing was the right call. Even now, a year later, we still see occasional testing on some of the compromised accounts.
An effective compromise mitigation plan needs clear guidelines because it may not always be the card manager making the decisions. Compromises may be announced late on a Friday afternoon or a holiday, when some of the key people can be hard to reach and other staffers are forced to step up and take action.
In addition, the plan needs to focus on how the credit union should inform members of its actions and how the team should respond once cardholders hear about the compromise. There's nothing like getting hundreds of phone calls from worried members to teach you the value of an effective script.
The bad guys also learned some lessons from the Heartland compromise. Merchants and issuers are still under attack as criminals moved beyond a focus on big issuers to target medium and small issuers as well. More than ever, they understand the antifraud side of the business. They know how to stay under the radar, how to test compromised cards effectively and they share that information with each other. It took nearly a year to track down and indict Albert Gonzales, the suspect behind the Heartland compromise.
As we saw in the news recently with the Radisson Hotel chain's announcement that its system has been compromised, it is clear that the fraudsters are continuing to attack payments systems. We have been effectively strategizing against this Radisson Hotel compromise since the first of the year. It is critical that the good guys-credit unions, processors and cardholders-be constantly vigilant when it comes to fraud. The proportion of fraudulent transactions continues to decline. That's the good news. But the fraud threat continues, from petty crimes to large-scale compromises, making a battle plan for the next compromise essential for credit unions.