News of the second Kmart credit card breach in three years at the retailer and the number of breaches at financial institutions doubling this year over the same period in 2016 should raise concerns. Security experts provided strategies to credit unions and businesses to protect credit card data.

Two weeks ago, Sears Holdings, the parent company of Kmart, confirmed it experienced another malware-based data breach of its card processing systems, which were infected with a form of malicious code. The company did not reveal how many of its 735 Kmart locations saw signs of a breach.

Meanwhile as of May 30, the total number of breaches in the U.S. captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 698, an increase of 35.3% over last year's record pace (516) for the same time period.

Of that total, 36 incidents took place at financial institutions, twice as many as last year for the same period and affected a reported 520,000 records. Almost all FI breaches did not report the number of records exposed.

The ITRC 2017 Breach Report's break down of five industry sectors still reveals business is way in front at 55.9%, followed by medical/healthcare, 21.6%, educational, 11.9%, government, 5.4% and banking/credit/financial, 5.2%.

Of course, any incident, if it included payment information, could also touch credit union cardholders.

"Members are becoming somewhat immune to the reporting of new data breaches because they are becoming a part of everyday news," Ashley McAlpine, fraud prevention manager for the Rancho Cucamonga, Calif.-based CO-OP Financial Services observed. "Having a cardholder education program can be instrumental in keeping members' attention on new breaches or innovative techniques fraudsters are utilizing."

Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, listed three risky ways credit unions' card breach risk increases:

  • Credit unions need to switch to chipped cards from the magnetic strip cards if they are still using them.

  • Many credit union clients, who are small to mid-sized businesses, use POS devices and systems to collect payments, with poor, and sometimes no, information security or privacy controls in place on their POS network, systems and devices.

  • Too many businesses believe their POS vendors have all the security issues they need in places without checking to verify that they actually do. "This is a very bad, and risky, assumption!" Herold said.

"Credit unions will potentially be liable and/or subject to significant losses for these types of POS breaches when their cards are involved," she added.

Herold also pointed out malware sometimes gets loaded through third parties – employees who fall victim to phishing scams, or malicious insiders who see an opportunity to collect data to sell to others or to hurt their employer.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.