WASHINGTON – Attorney's General from 49 of the 50 states have written CardSystems Solutions, the card processing firm whose security lapse led to the compromise of 40 million debit and credit numbers and which is still costing credit unions money, an angry letter demanding answers. The officials wrote the June 28 letter under the auspices of the National Association of Attorney's General (NAAG) and referenced the continued media reports about the security breach before they requested the number of total consumers impacted by the breach in each state, an explanation of how the breach occurred, the steps the company is taking to mitigate consumer injury and the plan the company has in place to keep data secure. The letter noted that the media reports indicated that the company had been in violation of Visa and MasterCard's Payment Card Industry Data Security Standard, the body of regulation which is supposed to keep consumer's card information safe. "This is unacceptable," the attorneys wrote. "As you are no doubt aware, the breach that occurred at your company is only the latest in a disturbing series of cases where nonpublic personal information has been subject to unauthorized access," they wrote. "In this era of increasing reliance on technology, it is vitally important that those companies entrusted with nonpublic personal information employ the highest levels of security." The letter gave the company until July 25 to communicate the information that the attorneys-general have requested to NAAG. The letter did not say what would happen if the company failed to comply with the request. Meanwhile, media in various communities have continued to report the damage to credit unions that the data breach has caused. The $958 million Affinity Plus Credit Union, headquartered in St. Paul, Minnesota, had over 4,000 credit and debit card accounts compromised by the card breach and has chosen to reissue all the cards, even though only one of the card accounts, so far, has had any fraud on it. The credit union has sent letters to all its members impacted by the breach explaining what happened and has followed those letters with calls from a staff person asking whether the member wanted their old card closed immediately or at a later time. "We decided as an organization to reach out to every single member since our goal is to build relationships founded on trust with our members," said Katie Wahlquist, a marketing manager with the credit union. Meanwhile in Norcross, Georgia, the $829 million Associated Credit Union will replace 3,000 debit and credit cards for its members whose numbers were compromised in the breach, and the $375 million National Institutes of Health CU, headquartered in Bethesda, Maryland, had 2,000 cards impacted in the security failure. The latest reported hit has been the $2.3 billion Pennsylvania State Employees Credit Union, headquartered in Harrisburg, Pennsylvania. That credit union has closed and reissued 7,300 of its cards which have been identified as most at risk, a report said. PSECU is already involved in a lawsuit it brought against B.J.'s wholesale club, one of the earliest of the round of security breaches that led it to have to close accounts and reissue cards. -

[email protected]