Despite swirling speculation about a massive credit card breach at national retailer Home Depot, the latest word from the CEO Frank Blake at a Thursday investors' conference is the company is investigating a breach. He has yet to confirm that a breach happened.
According to Blake, the company learned about the possible breach Tuesday morning and has been “working around the clock to find the breach.”
What does this mean to credit unions and their members?
Security blogger Brian Krebs – who is credited with breaking the news of the Target breach late last year – has said that his analysis of large batches of credit cards for sale at online criminal bazaar Rescator [dot] cc “suggests” that a Home Depot breach “involves nearly all of the company's stores across the nation.”
Card data for sale at Rescator is sortable by ZIP code (crooks prefer to buy cards in their own neighborhoods because they are less likely to trigger security alerts when used locally). According to Krebs, a comparison of the ZIP code data between the unique ZIPs represented on Rescator's site and those of Home Depot stores show a staggering 99.4% overlap.
The breach, if confirmed, may be much bigger than the Target breach, which involved 1,800 stores. The Home Depot breach may involve 2,200 stores.
Some credit unions are proactively taking steps to inform members about the possible breach and what it might mean.
At the $2.3 billion Affinity Federal Credit Union in Basking Ridge, N.J., a notice was prominently displayed on the credit union's home banking site.
“Affinity is aware of the recent reports of a Home Depot credit and debit card breach. Please be assured that there is no need to take any action regarding your Affinity credit or debit card – you may continue to use your cards. However, if your card is identified as part of the breach, we will contact you by mail regarding the replacement of your card,” the notice said.
“We are not seeing anything directly related to Home Depot yet, but the black market usually takes some time to work it into their system,” Affinity CEO John Fenton said. “We are getting a lot of calls from members who are getting nervous with all these breaches.”
In past breaches, Affinity and other proactive credit unions took steps to monitor which member credit cards might have been involved in a breach, action taken before alerts were received from large credit card issuers. Accordingly, they said actual loss volumes were very low.
At the $60 billion Navy Federal Credit Union in Vienna, Va., SVP, Security Robert Carlisle said the nation's largest credit union is monitoring the situation.
He added that, in incidents such as this, Navy Federal tells its members to check their account information frequently and report suspicious transactions immediately.
Other institutions offered similar advice, with many suggesting that members also review their credit report at least once annually.
At St. Petersburg, Fla.-based CUSO PSCU, Chief Risk Officer Steve Ruwe said, “we have been tracking this situation for a few days.” He cautioned that, thus far, not enough factual information is known to come to firm conclusions.
He pointed out that so far, nobody has disclosed the duration of a breach, if in fact one occurred, or what information was taken.
Ruwe's advice to credit unions is to wait for confirmed info and then decide if card reissue makes the best sense for the institution and its members. Sometimes it won't, he said, indicating that fraud analytics can provide considerable security without incurring the costs of card reissue.
Russ Spitler, a vice president at San Mateo, Calif.-based security firm AlienVault, didn't have any good news. He counseled financial institutions to expect more big retailer breaches.
“Major retail chains are easy targets because they have not invested in cybersecurity,” he said. “Banks are no longer easy targets. They have fortified themselves and even built protections for their consumers, but point-of-sale systems originally designed and built years ago are easy places to grab a foothold.
Hackers are focusing on retailers because that is where the money is, he added. It is the easiest target with the greatest reward.
“We have just seen reports of incredibly sophisticated attacks against major Wall Street banks – customized malware and long campaigns – if that is what it takes to break into a bank, no wonder the bigger breaches are focusing on the less sophisticated targets with just as large an economic potential,” he said.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.