GLENDALE, Calif. – Burglars broke into the main offices of the $1 billion The California Credit Union here over the weekend of November 15-16 and made off with a hard drive containing thousands of members' personal financial information. The thieves did not take the whole computer but took only the hard drive, raising the possibility that they may have known what they were looking for, acknowledged Sandy Serpas, an Administrative Services manager with the credit union. But Steve O'Connell, CFO for the credit union, stressed that law enforcement investigators were still in the early stages and the sophistication of the theft was still unknown. "We wouldn't want to speculate on any direction the investigation might take," O'Connell said. The credit union confirmed that 49,000 members' information was compromised in the theft and said that they began contacting members as soon as it became clear that the drive was among the items missing. Members' names, addresses, account numbers and social security numbers were on the drive. Drivers' license numbers and birthdates were not, the credit union said. The data compromised ran the spectrum of credit union products, including everything from share and share draft accounts, to credit cards, auto loans and mortgages, O'Connell explained. In addition to the local police, the U.S. Secret Service has also taken a role in the case, O'Connell confirmed. He further added that, as of the first week of December, there had not been any indications of attempted identity theft on any of the compromised accounts. The credit union has set up a special hotline for members concerned that their financial information may have been compromised or who had been notified that it was compromised. The credit union also announced that it planned to take special precautions with the compromised member accounts for the next year, including taking special steps whenever any account information was changed to make sure to identify the member seeking to make the changes. Other measures the credit union is taking include paying the cost of a one-year subscription to one of the credit monitoring services sponsored by the national credit bureaus. These services notify consumers whenever anyone seeks to open new lines of credit in their names or if there is any other "unusual" activity in their credit files. Additionally, the credit union has put so-called Credit Reporting and Security Alerts on those members' files with the credit bureaus. The Alerts notify the credit bureaus of potential security problems with the files and will last for 180 days. But card security experts familiar with identity theft said that criminals interested in stealing identities have been growing steadily more sophisticated and savvy about the precautions institutions like The California Credit Union take to counter data compromise. "I wouldn't be surprised if anyone who bought this data or otherwise obtained it knows enough to wait until after 180 days to try to use it," said Allan Trosclair, a bank card security expert with BFS, a security consulting firm headquartered in Phoenix, Arizona. "After all, this is live data we are talking about here," Trosclair noted. Trosclair estimated that, from the right buyers, the credit union's data could bring the thieves as much as a $1,000 per name on the black market for financial data, because the buyers know that with a little luck they can turn their investment into thefts worth many more thousands. Barry Smith, president of the firm, agreed and said that credit union members who had their data compromised in the theft may have to continue monitoring their credit for longer than the one year provided for in the free subscription to the credit monitoring service. "If there are incidents of attempted credit card fraud on some of these accounts, it may be that credit union members may have to monitor their credit accounts for more than the first year," he explained. Fifty percent of identity theft is caught by consumers being notified by one of the monitoring services, Smith added. Both executives noted that the credit union had done the right thing by acknowledging the theft of the data and seeking to help its members address any potential fraud, but both men also said the theft indicated that a full review of security procedures for safeguarding member data may be necessary. Trosclair questioned in particular why any members' financial information was resident on any individual hard drives at the credit union. He pointed out that increasing numbers of institutions are going to a server-based system for storing member data, a system where an executive or staff member can call up a member's account to query it or change it, but would not allow any of that information to remain resident in single computers or hard drives. Such an approach, he also pointed out, would allow the credit union to keep better track of who is allowed to see and change member information, as well as record the occasions when they do so. The hard drive theft is the second significant fraud incident to take place in less than two months. In November PSCU Financial Services, a card processing cooperative for more than 500 credit unions which process their cards on the First Data platform, reported that 66 of its member credit unions had lost $1.6 million to a credit card theft ring which was supplied in part with credit union cardholder information from a 10-year PSCU employee. -

[email protected].