Cybercriminals are broadening their targets in the nefarioussearch for personal information from data breaches. Fraud trendsthat could involve credit unions in 2017 are payment-based andso-called aftershock password attacks.

The Experian 2017 Data Breach Industry Forecast, fromthe Ireland-headquartered information group, outlined what it seesas the top five upcoming data breach trends and issues. Whilesome archetypal hacker attacks continue to serve as go-to methods,there are evolving tools and focal points that are likely to becomefront-page news, based on Experian’s experience.

Their top data breach predictions from the fourth annualreport:

1. Aftershock password breaches will expedite the death of thepassword.
2. Nation-state cyberattacks will move from espionage to war.
3. Healthcare organizations will be the most targeted sector withnew, sophisticated attacks emerging.
4. Criminals will focus on payment-based attacks despite the EMVshift starting over a year ago.
5. International data breaches will cause big headaches formultinational companies.

For credit unions, and other financial institutions, one issuerises to the top, according to Experian Data Breach Resolution VicePresident Michael Bruemmer. Payment data will always be one of the mostvaluable types of information to criminals.

Payment attacks will continue to target companies, not despiteof, but because of the recent EMV liability shift, Bruemmerexplained. The transition from magnetic stripes to chip and PIN,has led to uneven adoption of the new technology, with companieseither failing to fully adopt the chip and PIN technology, takingsignificant time to adopt new systems, and/or failing to implementEMV successfully, which has left companies vulnerable to paymentbreaches.

“As attackers continue targeting big retailers, as well as turntheir attention to smaller franchised stores, more pressure andscrutiny will be placed on financial institutions that issue cardsto monitor all accounts for fraudulent activity, and swiftly andsensitively notify affected individuals,” Bruemmer added.

Additionally, cybercriminals will focus further up the chain,targeting payment processors that could provide access to severalpayment systems if compromised. “We’ve already seen reports of onemajor processor getting hit and likely being the source for many ofthe restaurant breaches that happened this last year. Getting thepotential keys to the castle for various and distributed systems islikely too tempting to pass up.”

The biggest threat next year to smaller financial institutions,such as credit unions, is the possibility of aftershock passwordbreaches. “We’re starting to see more and more previous databreaches come back to haunt companies as attackers continue to sellpersonal credentials on the dark web, often years after theinformation was originally stolen,” Bruemmer said.

Experian compares this to an earthquake aftershock reverberatingafter the initial occurrence. Criminals use this information toaccess individuals’ personal accounts, and companies have to informthose affected of unauthorized logins. Bruemmer added, “Any smallerfinancial institutions that have yet to implement two-factorauthentication for online services are likely to be at higher riskof experiencing an aftershock breach and subsequent increases inaccount takeover and fraud.”

Another trend that might go unnoticed is the growth of socialengineering to defraud companies. “This is an easy and quick wayfor hackers to cash in and has a pretty low barrier to entry,”Bruemmer explained.

While credit unions are typically not liable for this type ofloss, they could engage agitated members who are trying to recovermoney sent to criminals. This could have an impact on theirrelationship with the credit union. “It will be important forcredit unions and other institutions to help educate their businesscustomers about these types of scams to prevent them fromoccurring,” Bruemmer suggested.