Details remain scant regarding the data breach acknowledged Thursday by retailer Target. However, one fact has emerged: the breach, said to be second largest in U.S. history after the 2007 TJX breach that involved more than 90 million credit card accounts, will have a significant impact on credit unions and their members.
The breach apparently extended to all Target stores in the U.S., and credit and debit cards used between Nov. 27 and Dec. 15 may have been compromised. More than 40 million cards are said by Target to be at risk.
The bad news: multiple reports indicate the breach involved theft of mag stripe data. That means criminals can use the data to manufacture new cards with valid mag stripe information and that may bode a boost in card present fraud at retail.
In many cases, too, the card issuer – meaning credit unions, if their members cards are involved – will suffer the financial liability, said TMG Senior Fraud Prevention Analyst Nicole Reyes.
She strongly urged credit unions to pay close attention to MasterCard and VISA fraud alerts, which will provide some details on exactly which cards may have been compromised. From there, Reyes suggested, it’s up to the particular institution and its appetite for risk. Some, she said, may choose to cancel all impacted cards and issue new ones, but she added that such a strategy can get expensive.
Others may opt to use transaction monitoring tools to attempt to identify efforts to defraud the account.
But there is a sliver of good news.
“One thing we are not seeing is any type of PIN fraud at ATMs with debit cards. There is no indication whatsoever of PIN fraud,” said Connie Trudgeon, a vice president at CO-OP Financial Services.
“We monitor activity for over 700 credit unions on a minute-by-minute basis,” she added.
At least one credit union, the $2.2 billion Affinity Federal Credit Union in Basking Ridge, N.J., proactively reached out to members with an email blast about the breach. In the email, Affinity wrote, “If you've shopped at a Target stores between November 27th and December 15th, we encourage you to contact our Member Service Center as soon as possible to request to have your card number changed and have new cards issued. Affinity will be compiling a list of potentially affected cards, but your immediate action can help expedite the replacement process, and ensure your account security.”
Many other credit unions are expected to make similar notifications.
News of the Target breach was broken yesterday by security blogger Brian Krebs.
The exact how of the breach occurred has yet to be disclosed by Target. However, security expert Rodney Joffe, an executive with cybersecurity firm Neustar, said, “This breach is big but it is not news. Breaches are going on every day. I will also tell you, Target is one of the best prepared companies and if this happened to Target it could happen to everyone else.”