Kirk Kordeleski, the CEO of Bethpage Federal Credit Union, said the exposure of personal information from up to 86,000 of the credit union's 205,000 members happened because a staff member inadvertently uploaded a file containing the information onto a in insecure website.
“She believed the website was secure. It had a password,” Kordeleski said Wednesday. “But it was not.”
Kordeleski added that the staff member was no longer with the credit union, and media outlets have reported she resigned.
The site that the staff member used was one the Bethpage, N.Y., credit union uses to move large files such as photos and other graphics, Kordeleski explained.
The $4.7 billion Long Island credit union had been sending the data to the firm it uses to generate member mailings, Kordeleski said, in conjunction with a conversion of its debit card portfolio from Visa to MasterCard branded cards.
Kordeleski said the data had been on the unsecured site for 30 days, long enough for Google to have indexed it. But he added that security firms that the credit union consulted said only a few Internet users appeared to have viewed the data.
He also said Bethpage considered the risk of ACH fraud from the data spill was remote. While the exposed data would be enough to generate an ACH withdrawal, such withdrawals required the person withdrawing the funds to have a deposit account.
Under the terms of the know-your-customer or know-your-member rules, it is considered very difficult to generate a fraudulent ACH withdrawal without being caught, Kordeleski said.