Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Data Breaches: A Real and Expensive Threat for All Financial Institutions - Including Credit Unions
Tuesday, December 16, 2014 6:30 AM

In 2013, the financial industry had the second highest per capita data breach cost1 and racked up more than $11.3 billion in card fraud expenses.2 What's driving these breaches?

Two major categories: Payment card and cyber breaches
Although both types of breaches are time-consuming and expensive to resolve, there are some critical differences between them.

Payment Card
Payment card is defined as a compromise of the payment card data and is the type of breach that's made the news with depressing regularity over the past 12 months. The uptick in attacks started with Target in late 2013, and since that time has included Home Depot, Neiman Marcus, and Supervalu, among many, many others.

The two most common methods of payment card data theft are skimming and database compromise.

  1. Skimming occurs when the thief installs a card reader device on a point-of-sale (POS) terminal or ATM. When the consumer uses their card, the skimming device reads and saves the magnetic stripe data. The thief retrieves the information and voila, they're ready to create a counterfeit card. Historically, this type of skimming required a thief to physically affix a device to the POS or ATM terminal. Now, clever thieves are doing it via Bluetooth3 and malware—which is how experts believe the 70 million+ Target thefts occurred.4
  2. Database compromise occurs in one of two ways: when a thief thwarts a merchant/third-party processor's security tools or a merchant/third-party processor stores magnetic stripe data, which is subsequently stolen. This second method contributed to the TJ Maxx breach back in 2007. Although the card association's data security policies prohibit this data storage, not all merchants/processors follow their lead.

Cyber breach
A cyber breach involves the theft or loss of sensitive information or internal records. This could include everything from credit union financial data and personnel files to personally identifiable member data.

Common access points include:

The cloud. As the recent hacking of celebrity photos illustrates, the cloud is not as secure as we might like to think.

Public wi-fi. This can be a huge point of data vulnerability, especially in conjunction with the next item.

Personal mobile devices. Most companies let employees use their personal devices at work, but don't necessarily have security protocols in place to make that a smart choice. Plus, although consumers may be relatively diligent when it comes to protecting their computers or laptops from spyware, viruses, and malware, few take the same precautions with their phones and tablets.

Active employee theft. Much as we hate to admit it, a certain percentage of employees are active data thieves. Credit unions that don't follow best practices in data protection could be vulnerable.

Human error and system problems. According to Symantec, a data security company, two-thirds of data breaches were caused by human error and system problems.5 Human errors could include transferring data outside the credit union or not deleting data on an appropriate schedule. System errors include inadvertent data dumps, errors in data transfer and identity and authentication failures. Employees can also cause problems by clicking on malicious links that allow malware/spyware/viruses to enter the system.

Operating system “holes.” Most system patches resolve security issues. If you skip the update, your system is exposed.

Physical data theft. Although we tend to focus on electronic theft, paper data is also vulnerable.

Protect your credit union from data breaches: Contact your CUNA Mutual Group Sales Executive at (800) 356-2644 for information about available risk management tools and cyber liability policies.

©CUNA Mutual Group, 2014 All Rights Reserved.


1 Nilson Report, cited in “Target Breach Spurs Push for Anti-Fraud Card Technology,” Bloomberg, Jan. 14, 2014

2 2013 Cost of Data Breach Study: Global Analysis, Symantec, conducted by Ponemon Institute ( Report_daiNA_cta72382.pdf)

3 Krebs on Security “Gang Rigged Pumps with Bluetooth Skimmers,” Jan. 14, 2014

4 Nicoile Perlroth, “Target Investigates Breach Involving Credit Card Data,The New York Time,s Dec. 18, 2013

5 2013 Cost of Data Breach Study: Global Analysis, Symantec, conducted by Ponemon Institute ( Report_daiNA_cta72382.pdf)