Unfortunately, a phishing attack against a credit union is nothing to admire. However, the speed and efficiency of the response to one such attack by Arizona State Savings & Credit Union is.
The Arizona State Savings & Credit Union (ASSCU) branch at the University of Arizona was alerted to the problem when students walked into the credit union and reported a suspicious e-mail had been sent to them. Someone had accessed 9,000 state university e-mail addresses and sent a phony message asking for information, according to ASSCU SVP of Planning and Strategic Services Jill Bechard. Bechard said the e-mail asked for the member's name, account number and a credit card number, but not for a social security number.
"In the email, was a replica of our website," Bechard said.
In response to previous suspicious incidents, ASSCU staff enacted a step-by-step plan. In only four hours ASSCU quickly shut down nine student accounts, took down its own website, alerted two other state universities to the problem, called the FBI and Secret Service, alerted the media, contacted CUNA and sent e-mail notifications to each of its 42,000 members who are online users.
Bechard said the Secret Service traced the offending website and had its internet service provider (ISP) shut the site down. "They closed the site down immediately," she said.
ASSCU's plan is designed to quickly assess what has happened, then form a team of department managers and vice presidents to counteract the problem and then determine how everyone, from the top, to frontline tellers and members, will be informed.
"Right away we get the CEO involved," she said.
The credit union's website was returned online after three hours of downtime, she said. Bechard said credit unions should also consider how a system breach will be perceived by the public after different organizations start issuing their own press releases.
Listed below is a summary of ASSCU's established plans for any "large-scale event that would pose a risk to the integrity of our internal systems, image or membership of the credit union."
*Electronic Systems Compromise-obtain and document all factual information. This section also includes emergency situations (crime or life threatening event) how to react to media, law enforcement or medical services inquiries.
*Reporting Responsibilities-contact your supervisor and senior management immediately (this step will be different for any credit union but would include each department vice presidents).
*Notification of the CEO-information provided to VPs should be relayed to CEO for consultation.
*Management Strategy Meeting-gather or teleconference with all affected executives and managers to develop action plan.
After the strategy meeting, senior management communication begins communicating with:
* Affected branches/departments.
* VP branches and regional AVPs.
* Audit department-request any relevant compliance information for dissemination.
* All associates-include situation after incident, analysis, actions steps, Q & A and talking points for members.
* Volunteers-Board of Directors, supervisory committee and credit committee.
* Legal Counsel-Arizona State Savings and & Credit Union CEO determines whether to contact legal advisor.
* Human Resources-a system breach might involve resource allocation and staff overtime pay.
* Senior management communication to local media and regulatory agencies-this list includes NCUA, your state banking department, ACUL, local media and trade publications such as The Credit Union Journal.
* Follow Up Communication-Board, associates, etc.
