December 05, 2018

NAFCU stresses need for data security standards as mishaps continue

data securityFollowing last week's news of a four-year-long breach of Marriott International's Starwood guest reservation system (one of the largest of all time), KrebsOnSecurity has notified the public of another security threat from jewelry retailers Jared and Kay. NAFCU continues to call on leaders in Washington to enact a national data security standard to ensure consumers are protected.

According to KrebsOnSecurity, the companies – both owned by Signet Jewelers – had a website vulnerability that when an order confirmation link was modified, customers could see another customer's order, including their name, billing and shipping addresses, items purchased, tracking numbers and the last four digits of the credit card used, among other information.

A web developer who caught the vulnerability and notified Signet and KrebsOnSecurity noted possible ways thieves could use that information to either steal packages, or scam customers for more personal information. Signet says the data-exposure vulnerability has been fixed.

In the wake of the Marriott breach, NAFCU Executive Vice President of Government Affairs and General Counsel Carrie Hunt urged leaders of the Senate Banking and House Financial Services Committees to take action on a national data security standard, and reiterated the principles credit unions would like to see addressed in any comprehensive cyber and data security legislation.

In addition, Rep. Bennie Thompson, D-Miss., who is set to chair the House Homeland Security Committee in the 116th Congress, has asked for a meeting with Marriott leaders to discuss the company's response to the data breach and its ability to detect and prevent future incidents. Senate Commerce Committee Chairman John Thune, R-S.D., and Subcommittee Chairmen Jerry Moran, R-Kan., and Roger Wicker, R-Miss., also sent a letter to Marriott's CEO asking for detailed information about the breach.

NAFCU has long been active with lawmakers on this issue, and was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system. The association is currently engaged as Congress considers a bill that would require data breach notifications for financial entities akin to what is in place for financial institutions under the Gramm-Leach-Bliley Act.

The association will continue to be a leading advocate for national data security standards.