ARLINGTON, Va. — As more details about the massive Target data breach trickle in, NAFCU and CUNA are taking aim at retailers to help prevent another large theft of consumer data.
Target reported that its stores have been hit with a credit and debit card attack involving up to 40 million accounts. The compromise occurred between November 27 and December 15. The theft, analysts told Credit Union Journal, is a sign cyber criminals are increasing their attention on the U.S.
NAFCU President and CEO Dan Berger wrote to House and Senate leaders urging them to pass bills to require merchants to adopt minimum data security standards and be accountable for breaches.
"NAFCU urges Congress to make the issue of data security a priority in 2014, including convening hearings on the data protection standards of merchants and what can be done to strengthen them," Berger wrote. "Furthermore, we recommend Congress take action to enact provisions to protect consumers from breaches that compromise their financial and personally identifiable information. Data security is a common-sense bipartisan issue that must be addressed."
CUNA President Bill Cheney stated on the association's website that the Target breach calls for greater security measures among retailers.
"This latest breach — while at this point reportedly smaller than the March 2007 TJX Cos. Inc. breach — once more raises the issue of the retailers' responsibility in securing information for card transactions at their stores," Cheney said. "Credit unions and other financials typically foot the bill for the breaches, in the form of issuing new cards and other security responses--as well as the reputational costs to member and customer trust in financial transactions using cards."
Payments experts and credit union executives told
Experts have stated there is still much to be learned about the Target breach. Several sources have indicated there has been no PIN data compromised. However, what is known is that the cybercriminals have obtained the basic account data stored on the magnetic stripes of the credit and debit cards — information such as name, account number and card expiration data.
Ann Davidson, senior consultant, risk management at CUNA Mutual Group, Madison, Wis., said the card data at risk is both Track 1 and Track 2 magnetic stripe data. She also noted that Target's REDcard, which uses the ACH system, was compromised.
"Credit unions need to pay attention to any ACH withdrawals from Target during the compromise period. It's a low risk, but still another risk to pay attention to," she said.
This breach is a wake-up call for all card issuers and retailers, said security blogger and expert Brian Krebs, who spoke to American Banker, an affiliate of Credit Union Journal, in an exclusive interview.
"Hackers that do this kind of stuff are really good at finding vulnerabilities in specific products," Krebs said. For instance, if the hackers found a vulnerability in Target's POS system that lets them move through the system, there's a good chance other retailers have a similar setup and could be hit the same way.
"I guarantee if you're a big box retailer, you're taking a real close look at this right now," Krebs said.
The breach bolsters NCUA's stance that credit unions must step up their cyber security attention, as fraudsters take dead aim at the U.S., being the last G20 country to convert to EMV. The agency has stated the area will be a key focus of examiners next year.
In an exclusive interview with Credit Union Journal, NCUA Chairman Debbie Matz stressed that credit unions need to do a very good job with cyber security.
"If you are a credit union and you are using a vendor for payments systems and you have weakness in your system, it will spread to the vendor and that vendor will spread the weakness to all the institutions that use its services," Matz said.
CUNA Mutual Group's Davidson said the breach is a sure sign fraudsters are stepping up their focus on the U.S. and that credit unions must be extremely vigilant in 2014. "We have clearly seen fraud increase as criminals turn to the U.S. prior to the rollout of EMV here. I just spoke with a credit union that has seen its fraud occurrences triple this year compared with last year."
