The 203,000-member, $4.7 billion Bethpage Federal Credit Union, headquartered in Bethpage, N.Y., notified members and the NCUA of the accidental exposure of personal member data last week.
In a June 13 press release and statement to its members, Bethpage said that data from up to 86,000 members had been placed on an insecure website accidentally while the credit union was moving the members from Visa debit cards to MasterCard debit cards.
“The risk for fraud or identity theft is low, according to a data security firm engaged by Bethpage,” the credit union said in its statement. “Certain key data such as Social Security numbers, PINS and CVV security codes were not in these files. Bethpage’s core data system was not breached and was not involved.”
However, a statement on the credit union’s website notified members that the exposed data included their names, mailing addresses and dates of birth, along with the numbers and expiration dates of their current Visa debit cards and the full account numbers of their primary savings accounts and the checking accounts linked to the exposed debit cards.
The credit union pointed out that the Visa debit cards compromised were already slated to be shut down as part of the migration to new cards, but Bethpage did not address the appearance that the exposed data, combined with the Bethpage’s routing number, would appear to be enough to generate ACH withdrawals from members’ accounts.
Interviewed later about the spill, Bethpage CEO Kirk Kordeleski said that the credit union had been responsible for the breach. He explained a staff member uploaded a file containing the information onto a website. “She believed the website was secure. It had a password,” Kordeleski said. “But it was not.”
Kordeleski added that the staff member was no longer with the credit union and media outlets have reported she resigned.
The credit union had been sending the data to the firm it uses to generate member mailings, Kordeleski said, in conjunction with a conversion of its debit card portfolio from Visa to MasterCard cards.
Kordeleski said the data had been on the unsecured site for 30 days.
He also countered the concerns about ACH fraud and called the possibility they might occur remote. While the exposed data would be enough to generate an ACH withdrawal, such withdrawals require the person withdrawing the funds to have a deposit account, he explained. Under the terms of the know your customer or know your member rules, it is considered very difficult to generate a fraudulent ACH withdrawal without being caught.
Bethpage also announced that it was offering members whose data has been exposed one year free access to credit monitoring through Experian, one of the three nationwide credit bureaus.