MICHAEL DEMBOWSKI
Losses mounting
Last year, hackers infiltrated Natick-based BJ’s Wholesale Club’s computer system and stole 40,000 debit and credit card numbers. Many of those cards were linked to the accounts of credit union members and now leaders of those financial institutions are saying they’re the true victims, not the merchants, and are asking a congressional committee to change the way security breaches are handled.
Last week, Eugene Foley, president and chief executive officer of Cambridge-based Harvard University Employees Credit Union, testified before the House Financial Services Committee in Washington, D.C., during a hearing titled “Assessing Data Security: Preventing Breaches and Protecting Sensitive Information.” Foley’s testimony grew out of a recent conversation on the topic of financial data security with Rep. Barney Frank, D-Massachusetts.
“I have experience with this issue not only as the CEO of a credit union that had about 700 of our 10,000 card accounts compromised in one incident last year, but also as a recent victim of identity theft myself,” Foley said in his testimony. Harvard University Employees Credit Union was one of the institutions affected in the BJ’s incident.
Of his own brush with identity theft, Foley said, “While I was sitting in my office, with my own debit card securely in my wallet, my checking account was cleaned out by a series of card purchases made 3,000 miles away. In a matter of minutes, over $2,000 was stolen from my account. Given my position, I am particularly responsive in protecting my own sensitive information, but this caution is meaningless when entities that have captured and retained the data contained on the card stripe are careless or not compliant with security standards.”
Foley’s testimony comes about a month after the CUNA Mutual Group, a credit union services company based in Wisconsin, filed a lawsuit against BJ’s on behalf of 163 of its credit union bondholders. According to CUNA, the lawsuit seeks to recover millions of dollars in losses incurred by CUNA Mutual and its bond policyholders. The lawsuit argues that BJ’s was storing account and customer information in direct violation of card association rules and regulations when the information was compromised by hackers. BJ’s did not return a phone call from Banker & Tradesman seeking comment.
Many local credit unions and their members were affected by the breach last year. Approximately 5,000 Workers’ Credit Union member accounts were compromised during the BJ’s incident, said Michael Dembowski, senior vice president of operations at the Fitchburg-based institution.
To assure their members were protected, Workers’ reissued every compromised card, a step that cost the credit union about $5 per card or a total of about $25,000. Unlike some of the other institutions involved, no money was taken from any Workers’ accounts and the reissue of cards was a precautionary move.
When fraud actually occurs and money is taken from someone’s account, it can cost a financial institution even more.
“[The frequency of fraud has] probably gone up within the last two to three years where we’ve hit our deductible on our insurance,” Dembowski said, adding the credit union loses between $15,000 to $20,000 in fraud-related incidents each year.
Workers’ has 30,000 debit cards and 8,000 credit cards in circulation.
“The more cards you have out there, the bigger the risk,” he said.
In his testimony, Foley said that existing rules regulating merchants have not been effective.
“There are card association rules in place regulating how the consumer information, which is imbedded on the magnetic stripe on the back of each card, should be handled, but these rules have proven to be both insufficient and laxly enforced,” Foley said. “Absent card association enforcement or legislative redress, credit unions have had to resort to litigation in order to find remedy for these losses.”
In a later interview with B&T, Foley said Harvard University’s credit union had information related to 700 cards compromised during the BJ’s breach, but only two accounts were actually affected by fraud. However, $12,000 was stolen between the two accounts.
‘Reputation Risk’
Another issue that makes security breaches even more difficult for financial institutions is “reputation risk,” Foley said. Because the card associations often don’t supply banks and credit unions with the source of the breach, customers tend to assume the financial institution is at fault.
“There needs to be better rules for disclosure because the reputation risk has been passed on to credit unions,” Foley said.
During his testimony, Foley said it is the credit union industry’s hope that credit card associations will eventually be required to notify financial institutions immediately in an electronic format that would include when the breach occurred, which merchant is responsible for the breach and which accounts are affected. Foley also suggested that the associations should detail what type of personal information was compromised.
Jim Blake, president and chief executive officer of Brockton-based HarborOne Credit Union, said the card associations must play a larger role in helping prevent breaches of security.
“Visa and MasterCard have to be held accountable for the systems they put in place with merchants,” Blake said.
Like Harvard and Workers’, HarborOne also was affected by the BJ’s breach last year and replaced all the compromised cards.
“If you only replace the cards that have fraud, you create a false sense of security,” Blake explained.
Some credit unions reissue new cards to all customers compromised in a breach, while others only reissue cards to the accounts where fraud actually occurred. Creating a standard response procedure for such occurrences in the credit union industry also is a practice that Blake supports.
“What we’re trying to do is have the industry take a uniform position on [how to respond to] these breaches,” Blake said.
Credit unions should be given more information when it comes to security breaches, he said.
“Don’t we have a responsibility to the consumer to make them aware their data has been stolen and could be used in another avenue?” Blake said.
Blake calls the credit card associations’ policy “flawed” because they do not acknowledge which merchants were involved in a breach.
“We sit here and have to notify the customer base,” Blake said. “We can’t tell the customer where [the breach happened].”
Foley noted that many times the card issuer is relying on media reports to determine the nature of a breach.
While some security breaches are more widely publicized, credit union leaders say incidents involving compromised card data happen far too often.
“It’s becoming almost weekly [or] monthly that we’re seeing these breaches,” Blake said.
Harvard University Employees Credit Union has not hired additional staff to maintain the credit union’s card base, but Foley is reevaluating staffing levels as threats to security continue to escalate.
“We traditionally have two people supporting 10,000 cards,” Foley said.
Some credit unions have been forced to hire part-time employees to maintain the compromised card databases. Foley said it is not uncommon to receive a multi-page fax listing hundreds of compromised cards. Despite the frequency of the breaches, Foley said it is the larger ones that hurt credit unions most.
“It’s the large-scale breaches that are creating a significant drain on resources of [card] issuers,” he said.
Ultimately, the issue won’t go away until things change, according to industry leaders.
“The market is going to cause the problem to have to be fixed,” Blake said.
Jennifer Jope may be reached at jjope@thewarrengroup.com.
