Just in time for the holidays, a major card data breach reminded credit unions just how vulnerable their debit and credit card programs remain to other institutions’ failures.
The breach this time came at Target, a leading retailer that Visa recognizes as a “Tier One” institution, meaning it is eligible for the best interchange rates. As a Tier One retailer, Target is also expected to have a PCI compliance program in place to help protect it from card security breaches.
Target has said that it had sought the assistance of a third-party firm which would conduct a forensic examination of how the breach happened, but gave no details about the attack.
The brand did say the attack took place between the day after Thanksgiving (Nov. 27) and Dec. 15 when the retailer said it discovered the breach and alerted authorities about it.
Target also reported that data from up to 40 million card accounts may have been compromised as part of the breach. If that estimate holds, that makes it the second largest in U.S. history, behind only the TJX breach in 2007 which saw data from some 90 million card accounts compromised.
Target was able to report some good news too. Contrary to other reports, no ATM PIN data appeared to have been taken, an assertion which was supported by an executive with a leading payments CUSO.
“One thing we are not seeing is any type of PIN fraud at ATMs with debit cards. There is no indication whatsoever of PIN fraud,” said Connie Trudgeon, a vice president at CO-OP Financial Services. She added, “We monitor activity for over 700 CUs on a minute by minute basis.”
This breach also differed from previous breaches in another significant way. Whereas, in the TJX and other breaches, retailers remained very reticent about acknowledging the compromise and tended to let credit unions and card issuers deliver the bad news about the need for new card accounts, Target stepped forward quickly.
This prevented credit unions from getting blamed as much for the security failure, but it also left them facing large numbers of members who woke up Dec. 19 to discover that Target shopping five days prior may have left them open to identify theft.
Many credit unions – such as the $2.2 billion Affinity in Basking Ridge, N.J. – proactively reached out to members with an email blast about the Target breach. “If you’ve shopped at a Target store between November 27th and December 15th, we encourage you to contact our Member Service Center as soon as possible to request to have your card number changed and have new cards issued,” the big New Jersey credit union said. “Affinity will be compiling a list of potentially affected cards, but your immediate action can help expedite the replacement process, and ensure your account security.”
The Minnesota Credit Union Network reported that its member credit had been “swamped” by members seeking information about the breach and guidance about what they should do.
The MnCUN said the $46 million Star Choice Credit Union in Bloomington sought out its card vendor and Target to determine next steps and implement strategies to mitigate fraud for any compromised member cards. Star Choice said it would continue to share information with members and is encouraging them to review their account transactions closely on an ongoing basis.
The $599 million SPIRE Federal Credit Union in Falcon Heights advised members to monitor credit and debit card accounts daily. Members were encouraged to contact SPIRE immediately so steps can be taken to restore funds to affected accounts. The credit said it was also reviewing accounts for suspicious activity and issuing new cards as needed.
The $135 million First Alliance Credit Union in Rochester contacted each of its members on the list of cardholders impacted by the data breach to let them know what the credit union would do and to reassure them about what's going to happen with their cards. Members may also close their cards as a precaution if they choose.
What has not yet become clear is what this breach has cost so far. CUNA Mutual Group, the prime insurer for roughly 95% of credit unions in the U.S., did not have any executive as of press time that could speak to the numbers of claims it has received so far.
Also, in a first, CUNA announced it would collect data from credit unions suffering damage from the breach, but spokesman Ben Fishel said the association may not make the data public.
“Frankly, we started collecting the data because we anticipated some lawmakers might want to see it,” Fishel explained. “We might not release the data except to them.”
Another lingering question is what the breach might mean to the PCI Data Standard which card brands and processors have promulgated to help defend credit and debit cards from breaches.
“It's important to remember that the PCI DSS is the floor for card data security, not the ceiling,” PCI Security Standards Council General Manager Bob Russo said in an email to Credit Union Times. “A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance.”