CUs ready to help members affected by data breach
Dec. 23, 2013 – In light of Thursday’s announcements about a data security breach at Target Corp., credit unions are already alerting members via websites and personal correspondence to keep them apprised of the situation.
News outlets nationwide reported on the Target breach Thursday morning, noting that the company confirmed nearly 40 million credit card and debit card accounts were compromised between Nov. 27 and Dec. 15. Data affected in the breach includes customer names, credit and debit card numbers, expiration dates, and CVV security codes.
“As many NAFCU members have done, credit unions can reach out to their members and alert them that they should monitor their accounts for fraudulent or unauthorized activity,” said NAFCU Director of Regulatory Affairs Mike Coleman. “Such actions may be a part of credit unions existing policies and established practices for handling data breaches. Credit unions should also closely monitor fraud alerts from VISA and MasterCard, as well as information released by Target, concerning potentially compromised account information, particularly when making decisions regarding reissuing cards to mitigate the risk of fraudulent activity.”
The KrebsOnSecurity website is already reporting that “Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.”
Relatedly, NACHA issued a notice, “ACH Network Risk Management Notice” to alert credit unions and others about the consequence of the data breach in relation to Target’s REDcard, a debit card that can only be used at Target stores, on subsequent transactions. The notice states, “we do not believe that data obtained from the Target REDcard debit cards will be used for subsequent fraudulent ACH transactions.”
In letters sent to House and Senate leaders Thursday, NAFCU President and CEO Dan Berger urged them to pass bills to require merchants to adopt minimum data security standards and be accountable for breaches.
Passage of data-security requirements for merchants is a key element of NAFCU’s five-point plan for credit union regulatory relief. Berger noted in the letters that credit unions and other financial institutions aren’t the problem in situations like these and that they have enough regulations and required standards they follow to protect consumers’ data. He did note, however, that “any entity that stores financial or personally identifiable information should be held to minimum standards for protecting such data.”
NAFCU advanced its recommendations mentioned in the letters on data security to media nationwide and they were picked up by Pittsburgh Tribune Review, The Miami Herald, San Jose Mercury News, The Sacramento Bee and Dallas Morning News, among others, as well as numerous broadcast outlets.
NAFCU's five-point plan for regulatory relief