Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

CU System Archive

CU System

Heartland faces class action suit from investors

 Permanent link
NEW YORK (4/2/09)--Yet another class action lawsuit stemming from last year's data breach has been filed against cards processor Heartland Payment Systems, this time on behalf of investors who purchased or acquired the company's securities. Murray, Frank & Sailer LLP filed the lawsuit in the U.S. District Court for the District of New Jersey on behalf of investors who acquired securities between Aug. 5, 2008 and Feb. 23, 2009 (Business Wire March 27). The complaint charges Heartland and some of its executives with violations of federal securities laws, saying that during the period, Heartland made false and/or misleading statements and failed to disclose material adverse facts about its business, operations and prospects. Specifically, the complaint alleges, the company misrepresented or failed to disclose that:
* Its safety and security measures designed to protect consumers' financial information were inadequate and ineffective; * Its payment processing system had been infected with malware as early as May 2008; * It was aware of a potential breach of its payment processing network; * It faced liabilities associated with the breach and increasing costs associated with implementing appropriate security measures; * It was at risk of losing customers; and * It lacked adequate internal controls.
On Feb. 24, when Heartland reported its earnings for fiscal year 2008 and fourth quarter 2008, it disclosed it might incur losses form the security breach.

CUs in three states sue Heartland Payment Systems

 Permanent link
WEST PALM BEACH, Fla. (4/2/09)--Four credit unions from Florida, Alabama and Louisiana have filed a $5 million class action lawsuit against Heartland Payment Systems Inc., seeking damages from what could be the nation's largest data breach. The credit unions are PBC CU, West Palm Beach, Fla.; Gulf Winds FCU, Pensacola, Fla.; Alabama Rural Electric FCU, Montgomery, Ala.; and First Castle FCU, New Orleans. The suit was filed on their behalf Thursday in U.S. District Court for the Southern District of Florida in West Palm Beach. In the complaint, the credit unions allege that Princeton, N.J.-based Heartland, which publicly announced the breach on Jan. 20, was slow to notify its clients about the breach and that the delay caused additional damages. Heartland first learned of a possible breach in October of 2008. "Not only has Heartland kept its merchants, consumers and credit card issuers in the dark publicly, but it also has not informed many of them in private," the complaint alleges. Each credit union said it had to re-issue a substantial number of credit and debit cards to members whose accounts were compromised in the breach, which occurred sometime in 2008. The breach compromised credit and/or debit card numbers, expiration dates, internal bank codes, personal identifying information and/or confidential financial information of numerous consumers. The complaint did not specify how many cards each credit union re-issued. The credit unionseek reimbursement of the costs associated with replacing the cards and notifying members of the breach, time spent by employees on the issue, harm to reputation and goodwill, and fraud and misuse of the compromised information. The complain alleges that Heartland's actions constitute violations of the New Jersey Consumer Fraud Act; amount to a breach of implied contract or contracts to which the credit unions and other class members are intended third-party beneficiaries; and are negligent. The lead attorneys in the case are Gregory Scott Weiss and Theodore Jon Leopold of Palm Beach Gardens, Fla.-based law firm Leopold Kuvin.

Perimeter Creative Conficker worm brings challenges

 Permanent link
MADISON, Wis. (4/2/09)--The Conficker worm wasn't exactly an April Fool's Day joke. It didn't live up to its hype, according to media reporting the progress of the computer worm. That didn't surprise Kevin Prince, chief architect of Perimeter eSecurity, a CUNA Strategic Services provider. In his network security blog (see the resource link), Prince said he didn't expect anything significant to happen Wednesday. "Conficker is a fairly new worm that infects unpatched Microsoft systems turning them into 'zombies'--a computer under the command and control of someone else. Understand that when a system is compromised, the remote attacker now has higher level privileges on the system than the user does. When many zombies are 'harvested' (exploited by the malicious software worm), the cyber criminals organize them into what is known as a botnet," Prince said. A botnet is simply many compromised systems under the control of an individual or group. Botnets can range in size, but an average botnet compromises 250,000 computers, Prince said. "Conficker has been estimated as high as 10 million or more, but with a concerted effort over the last few months to tame Conficker, the estimates are between one and three million." However, any worm with several million computers under its command can "do some pretty significant damage," he said. That could include taking areas of the Internet offline in a distributed denial of service attack. But most of the time, botnets are used to send out large quantities of SPAM. Researchers and security professionals play cat and mouse to find new ways of identifying and removing malicious software such as Conficker, while the cyber criminals develop new ways of counteracting these tactics. "As a result, you get different variations of the worm. Just like a flu bug that changes from year to year, Conflicker is modified from time to time." A fourth variation on Conficker (the "C" variant) was set to be unleashed Wednesday. "We knew this because researchers had broken into the worm's code and detected that beginning April 1, the software would begin using several new enhancements," Prince said. The enhancements are what credit unions should be concerned about. They include new methods for communicating back to a master command and control system, which is much more difficult to stop than previous versions, Prince said. They also include new ways to spread from one system to another. This only affects systems that are already infected with the malware. With these enhancements in place, it would enable the cyber criminals in control of Conficker to perform some attack or use these systems more effectively while spreading/harvesting additional systems. " April 1st was simply the day the software gets enhanced. It has nothing to do with when the systems would be used for attacks. We simply can't know when they will use this botnet for their nefarious purposes. April 1st simply marks the day when they COULD do something," Prince said. "The good news is that all this media attention has put a spotlight on the issue and made a lot of people aware of this malware," he said, adding that patches, scanners and other tools are available to protect systems by detecting and removing the worm from infected systems. "There are now even scanning tools available for IT administrators to scan entire networks and detect infected systems so it no longer has to be done system by system," he said. "As a result, I believe the number of infected systems is going to be reduced significantly. Keep in mind that the majority of compromised systems are believed to be in Asia and India where pirated Microsoft operating systems are heavily used." "The bad news is that this variant of the worm has some very creative communication methods and other enhancements that post significant challenges to researches to stop this and future worms like it." Although nothing significant happened on April Fools Day with Conficker, the attention paid to it makes the world "a little bit safer," Prince said. Many will probably think of this as a cyber fire drill that worked fairly well. In another development Wednesday, authorities arrested three teenage ex-software developers they believe are the Conifer worm hackers ( April 1).

Top 10 INews NowI stories for March

 Permanent link
MADISON, Wis. (4/2/09)--Here are the Top 10 News Now stories most requested by readers during March. Use the link to review the entire story online. 10. NCUA starts stakeholder reports on corporate CUs ALEXANDRIA, Va. (3/30/09)--The National Credit Union Administration (NCUA) Friday began what it said would be periodic reporting to stakeholders on the status of the corporate credit union system. 9. House approves cramdown bill WASHINGTON (3/6/09)--The U.S. House of Representatives yesterday voted 234-191 in favor of H.R. 1106, Helping Families Save Their Homes Act, which contains a mortgage cramdown provision that will affect credit unions. 8. Flexible accounting stance may come from NCUA WASHINGTON (3/30/09)--If an accountant is willing to be flexible about when a credit union books the cost of its 1% premium being assessed to replenish the National Credit Union Share Insurance Fund, the National Credit Union Administration said it will be okay with that. 7. NCUA to consider corporate CU issues Thursday ALEXANDRIA, Va. (3/24/09)--A special closed meeting has been called for Thursday morning by the National Credit Union Administration to look at possible plans to spread out the cost to natural person credit unions of the agency's corporate credit union stabilization efforts. 6. New NCUA bill would spread out replenishment ALEXANDRIA, Va. (3/27/09)--The National Credit Union Administration announced Thursday that it has drafted legislation allowing credit unions to spread the cost of the National Credit Union Share Insurance Fund replenishment over as many as seven years 5. NCUSIF shows preliminary accounting decisions ALEXANDRIA, Va. (3/2/09)--The most recent monthly National Credit Union Share Insurance Fund report showed the fund booked both the expenses and the income associated with the corporate credit union stabilization plan in January. 4. Details to Obama loan mod plan released WASHINGTON (3/5/09)--The Obama administration released details Wednesday of its mortgage loan modification program first announced Feb. 18. 3. CUs get accounting guidance for corporate plan costs WASHINGTON (3/11/09)--The American Institute of Certified Public Accountants yesterday issued guidance on how credit unions may account Corporate Stabilization Plan. 2. NEW: Corporate CUs: Corporate costs must be spread out, Mica says WASHINGTON (3/23/09, UPDATED 11:30 a.m. ET)--The Credit Union National Association called on the federal credit union regulator and lawmakers to mitigate the costs of its decision to place two corporate credit unions into conservatorship. 1. CUs urged: Contact NCUA before corporate action today WASHINGTON (3/26/09)--Credit unions are asked to urge each National Credit Union Administration board member to provide greater transparency regarding a report by Pacific Investment Management Company LLC (PIMCO) on corporate credit unions.

Member who was shot tried to follow robber

 Permanent link
KANSAS CITY, Kan. (4/2/09)--A man who was shot several times after Credit Union of Johnson County, Lenexa, Kan., was robbed may have been shot while following the man who held up the credit union. Federal charges were filed Tuesday in Kansas City against Nicholas E. Kamphaus, 26, for one count of armed bank robbery. Kamphaus was arrested Sunday. Kamphaus allegedly entered the credit union Saturday and demanded money from one of the tellers, according to a criminal complaint. He took money from two of the teller stations and fled in a sport utility vehicle, the Department of Justice said in a release Tuesday. After the robbery, a member tried to enter the credit union’s building. An employee told him that a robbery had taken place and the lobby was closed. The man said he’d seen the robber and was going to follow him, according to the press release. Lenexas police then responded to a report of shots fired near the credit union. They found a man in a grey minivan with gunshot wounds. The victim told police he’d been shot by the robber. The next day, police received information from a witness that the robber’s vehicle was parked at a house near the credit union. Police went to the residence and uncovered shell casings from the vehicle that matched the casings found near the minivan. Kamphaus faces a maximum penalty of 25 years in federal prison and a fine up to $250,000.

Pennsylvania couple sues CUMIS

 Permanent link
PITTSBURGH (4/2/09)--A Pennsylvania couple is suing CUNA Mutual Insurance Society (CUMIS) through a class action lawsuit that alleges CUMIS was in error when it stopped disability insurance coverage for credit union loans. The suit alleges that CUMIS incorrectly stopped disability coverage 10 years after the loan began--rather than 10 years after the man who took out the loan lost his job (USA Today March 31). Ronald and Donna Ogrizovich of Aliquippa, Pa., filed the suit, which also claims CUMIS doesn’t adhere to Pennsylvania law by warning customers when such policies don’t cover the entire loan term. When the couple got a second mortgage from their credit union in October 1997 they agreed to pay extra for disability insurance, the newspaper said. The couple claims they were told the insurance would pay for 10 years of mortgage payments in the event the policy holder became disabled. The suit alleges the couple made payments--biweekly payments of $238 until August 2003, when Ronald Ogrizovich--an airport baggage handler--lost his job due to severe arthritis, the paper said. The lawsuit says that CUMIS stopped payments in October 2007, asserting the 10-year policy began when the loan did, the paper said. “We don’t believe that the suit has any merit,” Maripat Blankenheim, CUNA Mutual Group spokeswoman told News Now. “We certainly are defending [our position] and believe we will be successful in that defense.” The case has been moved to U.S. District Court in Pittsburgh, the paper said.

Ohio lawmakers hear message CUs safe sound secure

 Permanent link
COLUMBUS, Ohio (4/2/09)--Nearly 80 Ohio credit union leaders converged on the state Capitol Square Tuesday to share insight into credit union initiatives with their state legislators during Credit Union Day at the Statehouse.
Rose Bartolomucci, assistant superintendent of credit unions for the Ohio Division of Financial Insitutions, addresses credit unions at Ohio's Credit Union Day at the Statehouse.
In all, they conducted 82 meetings with Ohio General Assembly members. Discussions centered on mortgage moratoriums and allowing credit unions to accept municipal deposits. Attendees also heard top state legislative and political leaders discuss their agendas. Speakers included House Speaker Armond Budish (D-Beachwood), Senate Finance and Institutions Chair John Carey (R-Wellston), state Treasurer Kevin Boyce, and state Auditor Mary Taylor. Credit union regulators from the Ohio Division of Financial Institutions also addressed the group. "We have great credit union leadership in the state of Ohio, and they understand the importance of building relationships with their local leaders," said Ohio Credit Union League General Counsel John F. Kozlowski. "With so many pieces of legislation focused on financial institutions, we need to make sure our state leaders understand that our credit unions are safe, sound, secure, and ready to lend," he said. A reception, sponsored by OCUL Services Corp., was held after the meetings.

From left, Tamlyn Straight-Schervish, CEO of Unity Catholic FCU in Cleveland, Ohio House Speaker Armond Budish (D-Beachwood), and Jennifer Ferguson, CEO of Bay Area CU, Oregon, Ohio.

Aaron Michael of Atomic CU, Waverly, Ohio, discusses credit union legislative initiatives with Ohio state Rep. Kris Jordan (R-Powell).(Photos provided by the Ohio Credit Union League)

Alabama league introduces data security legislation (04/01/2009)

 Permanent link
BIRMINGHAM, Ala. (4/2/09)--The Alabama Credit Union League (ACUL) introduced a bill in the Alabama legislature to protect consumers’ financial data. Senate Bill 545 is sponsored by State Sen. Roger Bedford (D-6), and House Bill 797 is sponsored by State Rep. Tammy Irons (D-1). The legislation, originally introduced in the 2008 session, generated significant discussion in the legislature, said the league. “We knew going into this that legislation of this magnitude takes multiple sessions to pass,” said Gary B. Wolter, ACUL CEO. “However, with new breaches still occurring, such as the Heartland [Payment Systems] breach, it is imperative that we keep pushing this important piece of legislation, gaining momentum and traction in the legislative process. Credit unions and their members appreciate the hard work of Sen. Bedford and Rep. Irons for their dedication to this important bill.” The bill contains three major provisions to address the growing problem of sensitive financial information being compromised. It:
* Requires that entities experiencing a data breach must notify consumers. Alabama is among a shrinking number of states that has no notification requirement, leaving financial institutions and consumers with inadequate information to protect accounts after a breach, ACUL said. * Prohibits the retention of sensitive consumer financial data, such as the content of a magnetic stripe on a plastic card, a personal identification number, or a card validation code. The requirement follows the existing standards from the Payment Card Industry Data Security Standard. * Requires any entity that experiences a breach and that has held such prohibited data reimburse the issuing financial institution for the cost of reissuing cards and /or take appropriate steps to protect accounts at risk.
“This legislation will help ensure that anyone who uses this most sensitive account information must be as careful with it as are credit unions,” Wolter said. “Essentially, the bill protects consumers and ensures a fair environment for everyone because when someone other than the consumer’s financial institution stores all the keys to a person’s account, it creates problems. It is not a question of if there will be a serious breach, only when it will be and how bad will it be.”

CU System briefs (04/01/2009)

 Permanent link
* SHREVEPORT, La. (4/2/09)--National Credit Union Administration (NCUA) Vice Chairman Rodney Hood is scheduled to speak at the 2009 Annual Membership Meeting for Shreveport (La.) FCU Tuesday, announced Helen Godfrey Smith, president of the credit union. "Mr. Hood has a thorough understanding of the needs of credit unions during these times of economic uncertainty," said Godfrey Smith. "He recognizes the opportunities facing the credit union industry going forward. Our members and guests will gain an in-depth understanding of financial issues and the safety and soundness of credit unions," she added … * CEDAR RAPIDS, Iowa (4/2/09)--The shutdown of a Sealed Air Cryovac manufacturing plant in Cedar Rapids, Iowa, has prompted the merger of Cryovac Employees CU with Dupaco Community CU, based in Dubuque. Cryovac's office in the plant closed Tuesday after the merger was approved overwhelmingly by members at a special meeting Saturday. The merger was effective Wednesday, with Cryovac members having access to Dupaco's full products and services. State and federal credit union regulators approved the merger. Cryovac had 638 members and more than $2.7 million in assets. A full-time employee at Cryovac has joined the staff at Dupaco, which has $546.1 million in assets (Cedar Rapids Gazette March 31) … * WESTBROOK, Maine (4/2/09)--Maine CUs' Campaign for Ending Hunger made its largest, one-time donation--$19,000--to the Good Shepherd Food-Bank. The amount represents the 19 years the credit unions have raised funds for ending hunger. The contribution, made in memory of JoAnn Pike, founder of the food bank, brings the total raised in her memory to $81,000 and the total raised over the 19 years of the campaign to more than $375,296, a record. From left are Luke Labbe, president/CEO of PeoplesChoice CU and chair of the Maine Credit Union League's Social Responsibility Committee, and Rick Small, executive director of Good Shepherd Food Bank. (Photo provided by the Maine Credit Union League) … * GREENVILLE, Tenn. (4/2/09)--A woman convicted of embezzling $105,900 from member accounts at the Rogersville, Tenn., branch of Kingsport-based Appalachian Community FCU, has been sentenced to 30 months in prison, followed by five years of supervised release. Trena Bledsoe, who pleaded guilty to embezzlement and making a false statement in connection with a bankruptcy, faced a maximum sentence of 30 years in prison and $1 million in fines. The embezzlements occurred between April 2006 and August 2007. Court records indicated Bledsoe placed an electronic flag on three members' accounts, which prevented the credit union from mailing statements to the members. ( March 31) …