MADISON, Wis. (12/30/13)--Social media had a significant role in the way some credit unions communicated with their members after Target announced that its customers' data had been breached. Those same media also played a role in members' response to credit unions' actions taken to protect their personal information after the breach.
In Harrisburg, Pa., for example, the $4.2 billion asset PSECU took a proactive approach when the news broke on Dec. 18 that 40 million debit and credit cards had been compromised in the breach. It acted quickly to determine how many members were affected and discovered it had more than 28,000 debit and credit cards potentially compromised, according to the Pennsylvania Credit Union Association (Life is a Highway
PSECU decided to reissue cards, but with the Christmas holidays, it would be difficult to get the message out to its members. "The solution was to go to electronic delivery channels in order to get the message out," said PCUA. PSECU sent an e-mail to nearly 21,000 members and posted a message on its Facebook page.
"The response of the membership was quick and positive," the credit union told PCUA. "To date, the Facebook post received 191 'likes,' 52 shares and 60 comments. It also had a total reach of over 5,300 views, one of the highest since PSECU joined social media," the credit union said.
Many credit unions placed alerts on their websites. Richmond, Va.-based Virginia CU, for example, sent notices to 15,000 members with compromised numbers and placed an alert on its website urging members to monitor their accounts and consider changing their PINs (nbc12.com
Dec. 20). Family Security CU in Decatur, Ala., also placed an alert on its site urging members to monitor their accounts closely (al.com
Dec. 24). The $516 million asset credit union said 2,000 member cards were impacted.
Others used call centers to provide information. Redstone FCU, a $3.5 billion asset credit union based in Huntsville, Ala., told al.com
and the Decatur Daily
(Dec. 26) that the call volume at the credit union spiked on Dec. 20, just after Target's announcement. The credit union received 200 calls disputing charges on their accounts within a 24-hour period. It normally has 500 to 1,000 such calls in a month. Its staff worked through the weekend after the breach to catch up on paperwork associated with the breach.
Social media also was used by members responding to their credit unions' actions to protect the compromised accounts from fraud. White River CU, a $55 million asset credit union in Enumclaw, Wash., quickly alerted members that its Visa processor had placed an automatic block on the affected accounts. However, some members first learned of the action when their card was denied at stores and ATMs. Many understood, but some vented their frustrations on Facebook, the credit union told the Northwest Credit Union Association (Anthem Recap
Dec. 27). "I'm grateful you did this," said one member's post, "but I was mortified when my card was declined..."
Breaches have hard costs--in terms of reissuing cards and fraud on accounts--and softer costs--the impact on the reputation of the institution issuing the cards. Retailers like Target and card processors need to be held more responsible for data breaches, Scott Burgess, president/CEO of the $571 million asset Rivermark Community CU, Beaverton, Ore., told NWCUA.
NWCUA said credit unions in Washington state have available a state law, RCW 19.225.020, that allows institutions to file lawsuits if a merchant is negligent in safeguarding its customers' information. Northwest credit unions led the push for the new law in 2010. "We were literally the only group in Olympia pushing for this change in the law at first," said Mark Minickiello, NWCUA vice president for legislative affairs. "It took us three years to get consensus and change the law to allow financial institutions to recover some of the costs incurred in a data breach. It was a David vs. Goliath effort."
In other developments late last week related to the Target breach:
The Credit Union National Association announced last week it would create a website this week to collect information from credit unions about the costs they have incurred in response to the Target breach and that credit unions should already start keeping a tally of their costs related to replacing cards and monitoring for fraud on the compromised cards. See News Now story, CUNA CompBlog Provides Target Breach Response Tips in today's issue and Friday's story, CUNA Urges CUs to Collect Data on Costs of Breach. Use the links.
Target announced Friday that encrypted debit-card PINs were among the financial information stolen. The fact they were still encrypted during the theft reduces the risk to consumers who used those PINs at the point-of-sale terminals, Target said (FoxNews.com Dec. 27). The PIN information was fully encrypted at the keypad, remained encrypted within Target's system, and remained encrypted when the data was removed from the systems, said a Target spokeswoman. However, some are urging consumers to reset their PINs.
As of last week, more than a dozen Target customers had filed lawsuits in federal courts. Also, the Department of Justice said it is investigating the breach, reported Fox.