Hard Lesson Learned About Hard Drives: One CU Adopts New Security Procedures

Register now

Following the discovery that member data was still recoverable on a recycled hard drive, Power FCU has implemented a variety of protocols to beef up the security of its members' privacy

As reported in the May 26 Credit Union Journal, the credit union sold 20 computers, but only after wiping the hard drives clean. But not clean enough, as the credit union learned when a local TV station bought one computer and was able to recover member data. Nineteen of the hard drives remain unaccounted for.

As a result, Power FCU has adopted a number of new new measures to ensure it doesn't happen again. In addition to physically destroying and incinerating old hard drives, the $263-million CU has also established a number of procedures related to squelching the potential for identity theft. In fact, even before the recycled hard drive came to light, PFCU had been engaged in a review of security protocols over the last nine months. Among the procedures that have been implemented:

No more printed receipts. The credit union still prints receipts for members, but it no longer prints copies to be filed and kept by the credit union.

Account identity codes or passwords are being assigned to all new and existing member accounts. Passwords will be chosen by the members and will be required for all transactions.

Secure response queries are being set up in case a member forgets his password. Information that is commonly known or readily available through public records, including such standards as mother's maiden name, will not be used.

"If a credit union is using Social Security Numbers as identification, it's not good enough," said CEO John D. Wakefield. "The idea that your Social Security Number is confidential is a myth. We had a security firm demonstrate for us how they can find your Social Security Number in about five minutes on the Internet."

To some extent, requiring all tellers and call center representatives to ask for a password before conducting a transaction for a member will add some time onto the transaction, but members have been supportive of the new security measures, Wakefield said.

"Things were slowing down at first, but as our staff and our members have gotten used to the new procedures, things are going more smoothly now," he noted. "Really, the only complaint we've had has been that it's hard for some members to come up with truly unique secure response questions and answers. They're a little surprised when we tell them they can't use their mother's maiden name, for example, but then we explain that you can log on to a genealogy site on the Internet and find that information out with relative ease."

In fact, members' reaction to the news about the potential compromise of member information via a recycled hard drive as well as the new security procedures, has been pretty supportive, Wakefield observed.

"It's amazing, members have a lot of faith in their credit unions," he said. "We had a lot of phone calls (when news of the recycled drive broke) but no account closures. On that first day when we started requiring passwords for everything, we had some members who said this is a great idea. With identity theft and computer security so much in the news, credit union members are becoming very much aware of all this information that is out there and how important it is to protect it."

Another new feature to come out of all this is a credit report offering. "We'll give members a free look at their credit reports at any time, so they can ensure that all the information on it is correct, and they can see who all is looking at that report," Wakefield related. "We will go over that report with them and explain how the scores work and what they can do to raise their scores."

The credit union will also be moving to a thin-client server, which will allow the credit union to keep all member data on the server rather than on its hard drives.

"Thin-client technology will eliminate the need to have hard drives on any work station, so all that data will be stored on central servers," Wakefield explained. "Eventually we will destroy all of our hard drives, then in the future, we simply won't have any hard drives."

For reprint and licensing requests for this article, click here.