An unknown number of the third largest credit union's members were put at risk of identity theft after the CU had its security breached by a program carried on an infected laptop.
The $15 billion Pentagon Federal Credit Union partially detailed the breach in a Dec. 30 letter to New Hampshire's attorney general. More than 500 of its members that were New Hampshire residents had their data put at risk, the CU said, and New Hampshire requires notification of information security breaches.
Pentagon Federal used the Massachusetts law firm of Edwards Angell Palmer & Dodge to send the letter.
The credit union declined to make any additional comment about the breach.
In its letter to the attorney general and to members, the CU said that it had discovered the breach on Dec. 12. and attributed it to a laptop that "had been infected by malware."
The CU did not say whether the laptop had been used by one of its employees or an employee of a third-part vendor.
The breach allowed the names, addresses, Social Security numbers, CU account numbers, and credit and debit card numbers from members, former members, employees and beneficiaries to be put at risk of compromise. Personal identification numbers were not compromised in the breach, the CU said.
The credit union added that it eliminated the unauthorized computer code as soon as it was discovered and that it has "no indication" that any of the compromised data was used to harm members. But Pentagon Federal went ahead and closed and reissued the debit and credit cards of members whose card account information may have been compromised and engaged the data monitoring firm Kroll Inc. to monitor member consumer data to protect them from possible identity theft.
The unusual breach took industry security analysts by surprise, both because it happened at such a large and sophisticated credit union and because it took place at a financial institution at all. In general, financial institutions have largely learned how to protect their member and customer data, and data security breaches have been far more common when consumers have used their information to make purchases at brick and mortar merchants or online, they said.
But Brad Mundine, a risk manager for CUNA Mutual, stressed that credit unions should understand that while the data breach risk might appear to have diminished, they remained targets of thieves seeking to capture and misuse their members' data.
He pointed out that data from industry watchers showed 62 financial institutions, both banks and credit unions, had suffered data breaches in 2009 and that 58 had in 2010. While smaller in number, the insurer considered these breaches to place credit unions more directly at risk than the data thefts at merchants or card processors, Mundine explained.
First, they involve data from the credit union's own members and only their members. The members are not just part of a broader selection of consumers who had been victimized. Second, the credit union's own systems were the ones that had been breached. "These are your firewalls, your protocols, procedures and systems that have been beaten," Mundine said. "That makes the liability for the breach significantly higher for the CU," he added.