MADISON, Wis. (12/26/13)--The data breach Target announced last week has brought in its aftermath several class action lawsuits, compromised card numbers flooding the black market, risk analysis by various industry groups, and credit unions rallying to support members who used their debit or credit cards at the retail giant during the holidays.
As of Monday, Minneapolis-based Target was already the bull's eye in three class-action lawsuits, and attorneys general in Connecticut, Massachusetts, New York and South Dakota had asked Target for information about the breach (USA TODAY Dec. 23).
Target's breach will cost consumers and the financial industry, said the California and Nevada Credit Union Leagues, which urged federal and state officials to take action to prevent the cost of such breaches from being passed on to consumers and the financial services industry.
"When retailers have security breaches in their credit card information, they see it merely as an inconvenience, but there's also a significant financial impact on consumers and financial institutions," said Diana Dykstra, president/CEO of the California and Nevada leagues.
"Every consumer now has to keep an eye on their credit information, and there likely will be headaches for both consumers and the financial services industry, with the potential need to replace millions of cards. It's an embarrassment for a retailer, but the breach costs fall on the shoulders of consumers and their financial institutions, like credit unions," Dykstra added.
The $5-$10 cost to reissue and deliver each new card is exacerbated by the cost incurred by credit unions to reimburse members who have lost funds due to fraudulent transactions. "California and Nevada credit unions have been inundated by thousands of calls from members concerned about their credit information in the wake of the Target incident," she said.
The breach should prompt the public and lawmakers to engage in a dialogue about the antiquated magnetic stripe technology, said the leagues. That dialogue should emphasize the need of retailers and financial institutions in the U.S. to adopt the more secure chip and pin card technology, which is widely used in other countries and is less vulnerable to breaches, the leagues said.
Because Target's investigation into the breach is ongoing, it has not specified publicly how the breach occurred. Several security analysts have weighed in on the issue, with most experts saying they believe the incident was from an external attack.
BankInfoSecurity.com noted that one leading card issuer affected by the attack said about 40,000 of Target's 60,000 point-of-sale terminals were likely infected with malware automatically downloaded from a hacked server. Once infected, the POS devices were instructed to store and forward the magnetic stripe data from the transactions, said the publication.
Meanwhile, credit unions in Target's home state--like many all over the country--were proactively working with their members to address concerns about their data privacy in the wake of the breach, reported the Minnesota Credit Union Network (MnCUN).
"Member privacy and protection are extremely important to Minnesota credit unions," said Mark D. Cummins, MnCUN president/CEO. "Minnesotans can continue to count on credit unions as their trusted financial partner as the impact of the data breach continues to unfold."
MnCUN noted that Star Choice CU in Bloomington, Minn., is working with its vendor and Target to determine the next steps and implement strategies to mitigate fraud on member cards. Also, SPIRE FCU, Falcon Heights, Minn., advised members to monitor credit and debit card accounts daily and directed them to contact the credit union immediately so steps can be taken to restore funds to affected accounts. SPIRE is also reviewing accounts for suspicious activity and issuing new cards as needed.
The breach compromised 40 million cards that were used at Target stores across the U.S. between Nov. 27 and Dec. 15. The Credit Union National Association is working with other organizations to keep credit unions informed. Those organizations include CO-OP Financial Services, CUNA Mutual Group, PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, as well as the Electronic Payments Coalition and NACHA--the Electronic Payments Association.
FS-ISAC told CUNA it sent a proprietary alert Friday to its member organizations with speaking points to help shape institutions' communications with consumers and media, NACHA's operational bulletin about automated clearing house issues related to Target's branded RedCard debit card, and speaking points about typical investigation processes and information sharing. FS-ISAC, of which CUNA is a member, is also working to get a clear picture of the breach and impact, including tactics, techniques and procedures, which it will make available when the investigation concludes.
For specific information on what credit unions should do and CUNA Mutual Group's advice on alleviating risks from the breach, use the links to the News Now stories, CUs Impacted in Target Breach Get Risk Mitigation Tips and CUNA Working to Determine Impact of Target Breach on CUs.