As Breach Stats Grow, How Should Credit Unions React?

Are credit unions learning from the recent data breach security mistakes?

The growing danger of cybercrime.

San Diego-based Identity Theft Resource Center added 90 incidents to its March breach list with the business sector again leading by percentage and number of recorded breaches (50%, 45 breaches).

Hacking attacks represented nearly one-third of the breaches during March ITRC report. Of these incidents, 46% involved ransomware; and 36% identified phishing as the attack method. Unauthorized access hit the financial industry the hardest in March with 77% of the breach notifications citing this as the cause.

The total number of exposed records in 2018 stands at 1,571,008 as of April 1.

Those statistics do not include the Cambridge Analytica/Facebook misuse of personal information of some 87 million users that some experts liken to “weaponized data” rather than a data breach. Nor do they include the latest incidents: the Panera Bread web site exposure of as many as 7 million customer records; the Saks and Lord & Taylor leak of 5 million credit card accounts at their POS; and the [24]7.ai fissure, which affected the card accounts of at least 100,000 Sears customers and an unspecified number at Delta Air Lines.

Still there are lessons learned and best practices to follow.

Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, cited how the Delta/Sears breaches occurred within their third-party service provider. “They also did not hear about the breaches until many months after they actually happened.” She added, this is a significant third-party vendor breach, and [24]7.ai made many mistakes.

Herold shared how the recent breaches relate to credit unions. The breach potentially affected over 37 million credit and debit cards. Credit unions likely issued a portion of those cards. She suggested credit unions need to prepare for these types of incidents, by ensuring procedures and training is in place to handle the fallout.

Herold pointed out credit unions similarly engage at least some contracted service providers, some offering chat support, that involve the collection, transmission, storage or other type of handling of customers’ financial and personal data. “They cannot allow their contractors to wait many months to let them know of a breach of the customer data that the credit union entrusted to them. Remember, the credit union is ultimately accountable and responsible for that customer data.”

Credit unions also share some commonality with Panera Bread. “Many credit unions have internal staff managing their websites, along with doing a wide range of other website changes and administration,” Herold said. But, usually they are also doing many other things, and often do not have sufficient security training to ensure mitigation of all security vulnerabilities. “When a credit union does not invest enough in security their website, or their information security team in general, they put their business at risk of having similar breaches occur within their organization.”

Nick Bilogorskiy, cybersecurity strategist at Sunnyvale-Calif. based Juniper Networks, said, “Nowadays, business is conducted with the help of third-party service companies that provide savings by solving a piece of the puzzle for big companies, like online transaction support, for instance. In such cases, the third-party vendor increases the attack surface and the risk of a cybersecurity breach for the enterprise.” Bilogorskiy mentioned third parties were the vector for many high-profile breaches, 63%, according to a Soha System’s survey.

Mounir Hahad, head of Juniper Threat Labs noted It is important to understand Delta/Sears breaches are different from some past breaches, such as Target, where the third-party vendor was a vehicle for an intrusion into the victim’s own network. “In the case of SaaS offerings, a threat actor may not even need to breach your network, siphoning off your data directly from the third-party vendor that you do business with instead.”

John Buzzard, industry fraud specialist for Rancho Cucamonga, California based CO-OP Financial Services, suggested credit unions can begin best practices by placing cautionary messaging on websites, ATMs and apps alerting members of the data breach events. Additionally, “Don’t forget to offer to help them gain proper access to your online banking app and account alerts. Adoption rates tend to soar when you help the member activate these tools when they visit a branch or open a new account.”