October 19, 2020

NAFCU again urges national data security standard after recent breaches

data securityThere were several reports last week of data breaches: Fintech company Robinhood announced that almost 2,000 market accounts were compromised, Dickey's Barbecue had information of more than 3 million cards stolen, and Barnes & Noble suffered a breach that exposed some personal information of customers. As a leader in calling for national data security standards, NAFCU sent a letter to Congress urging action to ensure consumers' information is properly protected in light of these breaches.

The association was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system, and consistently reiterates its principles for a data security standard – which includes holding negligent companies accountable and ensuring consumers are made aware of breaches in a timely manner – to lawmakers.

In the letter sent Friday, NAFCU Vice President of Legislative Affairs Brad Thaler called on Senate Majority Leader Mitch McConnell, and Minority Leader Chuck Schumer, D-N.Y., House Speaker Nancy Pelosi, D-Calif., and Minority Leader Kevin McCarthy, R-Calif., to keep data security a high priority.

"Unfortunately, retailers, and even fintechs such as Robinhood, are not held to the same data security expectations as depository institutions, which have faced rigorous cybersecurity exams for years under the Gramm-Leach-Bliley Act (GLBA)," Thaler wrote. "Even more troubling, the U.S. Securities and Exchange Commission (SEC) issued an advisory last month which warned against precisely the sort of authentication weaknesses that may have played a role in the reported Robinhood breach.

"…As past data security incidents have often shown: In hindsight, breaches can be prevented. NAFCU believes that when a breached entity knew or should have known about a threat, and fails to act to mitigate it, the negligent company must be held financially liable," Thaler added, further detailing how credit unions and members are impacted when they must absorb fraud-related losses.

Read Thaler's letter and review NAFCU's data security principles here.

According to Bloomberg, an internal review of the Robinhood breach has revealed a hacking incident larger than what was initially reported and siphoned funds from customer's Robinhood Markets accounts. While the fintech company is subject to the SEC's oversight, its cyber exams are not the same as other banking regulators, such as the NCUA.

The Dickey's BBQ breach likely extended from May 2019 to September 2020, KrebsOnSecurity reported, and used malware to compromise payment systems at over 150 locations across 30 states. Card information from its breach is being sold on a black-market site "advertising 'valid rates' of between 90-100 percent. This is typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it."

In a statement, Dickey's highlighted that individuals who report unauthorized charges to their financial institution in a timely manner aren't generally responsible for the lost funds. Cybersecurity firm Q6Cyber's CEO told Krebs that "the financial institutions we've been working with have already seen a significant amount of fraud related to these cards."

Barnes & Noble became aware of a data breach Oct. 10 and notified customers that personal information, including transaction history and email addresses, were exposed. However, in its notification of the breach, the bookstore chain said payment information was not exposed.

NAFCU will continue to keep credit unions informed of data security issues and push for Congress to enact national data security standards. The NCUA recently shared cybersecurity resources for credit unions as October is National Cybersecurity Awareness Month.