The Impact of Major and Local Breaches on Two Nevada Credit Unions
Former Speaker of the House, the late Tip O’Neill, famously said “All politics is local.” In a manner of speaking the same can be said of data breaches. JPMorgan Chase, Home Depot, Target, Neiman Marcus and other high-profile breaches affected tens or hundreds of millions. However, how a local credit union handles the fallout from a major or local breach is what’s really important to that institution’s customers.
Using research provided by the National Association of Federal Credit Union’s “October Economic and CU Monitor” and interviews with executives at two Nevada credit unions, Chris Sieroty on reviewjournal.com offers an overview of how two local credit unions deal with breaches. The following has been excerpted from Sieroty’s piece and edited to fit our format. You may find the complete, unedited article by clicking on this link.
More than 20 percent of plastic exposed
[A] majority of credit unions say local data breaches have affected their operations according to a survey by the National Association of Federal Credit Union’s October Economic and CU Monitor. [And] large national retailer breaches, such as those that occurred at Target and Home Depot, have exposed 20.6 percent of member payment cards, on average. The NAFCU estimates the Target breach cost credit unions nearly $30 million.
Small breaches cause big pain
“Small, local breaches may not garner the same headlines, but they can be just as damaging for smaller financial institutions like credit unions,” the six-page report says. “A wide majority of respondents (84.4 percent) were impacted by a local data breach during the last two years.” [And]
…most credit unions expect to spend more on data breach costs in 2015 than they did this year.
A CU CEO speaks out
“The impact of the recent card breaches has been significant,” said Wayne Tew, president and CEO of Clark County Credit Union. “Since the two most recent breaches, we have been re-issuing cards with changed expiration dates and CVV codes.”
Tew said Clark County Credit Union continues to receive daily alerts with small numbers of cards that have been breached. Clark County Credit Union operates five branches in Southern Nevada with 33,000 members and about $500 million in assets.
“To avoid any legal implications, I will refer to the breaches as coming from Party A and Party B without stating which is which,” Tew said. “To date, we have re-issued 2,440 cards due to the breach at Party A and 3,670 due to the breach at Party B.”
Losses to fraud
Direct fraud losses for Clark County Credit Union from Party A breaches so far total $22,123.76 and $830 from Party B, with more coming in.
Business as usual?
“Unfortunately, the losses are becoming a regular part of doing business,” Tew said. “Safeguards we put in place are to re-issue the cards as soon as we receive notice of possible compromise of the card.”
Another CU CEO speaks out
Brad Beal, president and CEO of One Nevada Credit Union, said in both the Target and Home Depot breaches the credit union has had to reissue debit and credit cards.
“We try to time the re-issues in such a manner as to minimize inconvenience for our members,” Beal said. “Sadly, we (have) some members who have had their cards reissued for both breaches, which multiplies the inconvenience for them.”
75,500 members could be at risk
Based in Las Vegas, One Nevada Credit Union has $800 million in assets, 75,500 members and 15 branches in Clark, Washoe and Nye counties.
“From the credit union’s viewpoint, we first must assess the magnitude of the breach, our potential loss exposure, and the cost of potentially reissuing cards,” Beal said. “These assessments require the attention of a number of our management personnel, and must be performed rather quickly.”
Monitoring transaction activity
“As to the credit union, we monitor consumer transactions carefully, watching for transactions that are inconsistent with each cardholder’s usual activity,” Beal said. “The cardholder is then promptly contacted to verify the legitimacy of any transaction that seems out of the ordinary.”
Beal said by closely monitoring consumer transactions, One Nevada Credit Union can “usually detect breaches before the merchant announces them.”
When asked if data breaches were becoming a cost of doing business, Beal said, “Absolutely not.” He said the credit union is opposed to simply accepting breaches as part of their normal business.
Strengthen data security at point of card use
“Ultimately, consumers end up paying for breaches,” Beal said. “Strengthened data security at the point of card use would go a long way to reducing these breaches, strengthening the security and reliability of our nation’s automated payment systems, and eliminating consumer inconvenience and frustration.”
Need federal standards
Beal said federal standards for merchant data security should be adopted. Tew also called for strengthening data security.
Retailers should be held responsible for losses
“The greatest safeguard would be for the retailers to have some responsibility to cover the losses incurred by the financial institutions,” Tew said. “If they would put in place the same required security systems financial institutions do, the breaches would diminish.”
Tew said retailers are proud to boast that their customers will not suffer any loss, often implying that they, the retailers, are eating the cost.
“I consider that to be deceptive business practice,” Tew said, “What retailers do not reveal is that they don’t suffer any hard losses because the costs are borne by the card issuing credit unions and banks.”
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.