WASHINGTON and MADISON, Wis. (12/27/13)--Credit unions should keep a tally of the costs incurred from fraud and replacement of the debit and credit cards compromised in the recent Target data breach so they can report it later, said the Credit Union National Association. CUNA plans to open a data collection website next week and will provide further details as soon as it becomes available.
The breach involved 40 million debit and credit cards holiday shoppers used at Target stores from Nov. 27 to Dec. 15.
"As we all know, the Target breach--which has apparently compromised millions of credit and debit cards, many of them held by credit union members--has the potential for creating substantial expense for credit unions and other financial institutions," said CUNA President/CEO Bill Cheney. "CUNA is on the case, looking out for credit union interests, and will continue to do so. We have been in close contact with the payments processors, getting their take on what has happened and the impact on financial services providers, especially credit unions.
"We have initiated discussion with key congressional contacts about our on-going concerns of the responsibility of merchants to protect data, and be accountable for the consequences of data breaches when they occur," Cheney said. "In the meantime, we are setting up a website to collect data on costs incurred by credit unions in response to the Target breach."
Until the data collection website is live, credit unions should consider keeping a tally of costs as they incur them so they can report as soon as CUNA has the website up and running, Cheney said. "Overall, our top priority has been to make sure that credit unions and banks have the information they need to service their members in the short term." CUNA will keep credit unions "closely informed as our work on this matter develops, particularly when Congress returns to work," he said.
When the breach was announced last week, the Missouri Credit Union Association immediately contacted Missouri's U.S. senators and representatives about the need for legislative solutions (Missouri Difference
Dec. 23). MCUA staff also briefed the state's credit unions on the breach and strategies during its regular legislative call Dec. 19. Like other state leagues, it is consulting with credit union experts and CUNA on how to best to address the issue.
"We have communicated with the entire Missouri delegation about the need for a legislative solution to this situation," said Amy McLard, MCUA senior vice president of advocacy. "We hope that the nationwide aspect of the Target data breach will provide an impetus for congressional action." MCUA will send a questionnaire to member credit unions to investigate practical reforms related to the breach.
Meanwhile, the Federal Trade Commission, in a blog, said that scammers claiming to be Target are sending out phony Target e-mails pretending to help those with compromised cards. Instead, the scammers "actually want to trick you into giving them your personal information. And they are skilled at making the e-mails look real," said FTC (OnGuardOnline.gov
Dec. 23). FTC advised anyone getting an e-mail claiming to be from Target to do two things:
If the e-mail asks for personal or financial information, assume it is a scam. Don't reply. No legitimate business will ask for personal information through unsecure methods like e-mail.
If there are links in the e-mail, don't click on them, even if they seem legitimate. Scammers can use links to install viruses that direct you to spoof sites that aim to steal information. Hovering over a link can reveal a deliberately misspelled Web address or a completely different destination. "Your best bet is to type the URL directly into your browser," FTC said.
In other developments, U.S. Sen. Richard Blumenthal (D-Conn.) urged the FTC to investigate Target's security practices to see if the retailer failed to adequately and appropriately protect its members' data. He said he would push to give the agency more authority to penalize companies with large data breaches. Currently, the FTC doesn't have authority to impose fines for data breaches (IDG News Service
Credit unions across the country are reporting thousands of their members' debit and credit cards were among those compromised and are assisting members impacted.
For example, Sacramento, Calif.-based Golden 1 CU--the nation's seventh largest credit union with $8 billion in assets, said Tuesday that 67,000 of its members were affected by the breach.
"Golden 1 is proactively replacing all potentially impacted cards," said Donna Bland, Golden 1 president/CEO. "The safety and security of our members' accounts is a top priority for us. It's important for our members to know they can rely on Golden 1 to protect their accounts."
Golden 1 notified members via e-mail and letters, telling them they can continue using existing cards until the new cards are activated. It did not change daily purchase or cash withdrawal limits "as this could negatively impact members during the busy holiday shopping season." It told members to monitor their account activity regularly and report anything suspicious immediately. Bland also noted that "as a first line of defense, our mobile and text alerts can be set up to let you know when transactions occur."
In Eau Claire, Wis., Royal CU said Monday in an e-mail to members that 6,458 member cards--1,219 credit cards and 5,239 debit cards--were among those compromised and there might be more. The $1.33 billion asset credit union is replacing all the cards, which will take 18-21 days. Members can use their current card until the new card is reactivated.
Target's breach will not alter two fundamental reasons cyberattacks have become almost routine, said USA TODAY Tuesday:
The U.S. is the weak link in the migration to chip-embedded payment cards. It still relies on magnetic stripes, which are easier to counterfeit than European MasterCard Visa (EMV) chip-embedded cards.
American corporations and consumers have become accustomed to public disclosures of massive data breaches, and retailers and financial institutions have added media specialists and lawyers to absorb associated losses as an "extraordinary cost of doing business."