BETHPAGE, N.Y. — By the time many credit unions were first learning about the massive Target Corp. data breach, Bethpage FCU was already moving to alert members and protect the card base.
How quickly the $5.4 billion-asset credit union moved and the way it handled the card problem led to Bethpage experiencing only $2,000 in fraud losses from the breach through the first two weeks of January and keeping member confidence high.
"I think we were way ahead of most financial institutions in responding to the problem," said Robert Hoppenstedt, SVP of operations and marketing. "While Chase was trying to figure out what to do, we already had made decisions on how we would handle the situation."
Widespread media reports about the Target breach began early on Thursday, Dec. 19. Bethpage heard about the breach from Saylent Technologies, Franklin, Mass., the afternoon of Dec. 18. Through CO-OP Financial Services, Bethpage uses CO-OP's Total Revelation data analytics solution available through a partnership between CO-OP and Saylent.
Saylent learned of the breach from blog postings, security forums and web chatter, and then immediately created a filter to identify all cards in the portfolios the company supports that were used during the breach period.
"For Bethpage, we came up with a list of 11,000 debit cards, and made sure they were used in-store and not via e-commerce," said Dean Nolan VP of product and marketing at Saylent. "We did this for institutions using our Card360 software and they were able to identify debit cards impacted by the Target breach 24 to 72 hours ahead of network notification."
The credit union then immediately applied new risk strategies to impacted cards, monitored spending patterns and prepared to send new debit cards to affected members. The old debit cards would still work, and members were told in a letter that was mailed Dec. 20 they could continue to use their old card until Jan. 15, after which their current card would be turned off. New cards were mailed early the following week.
"We wanted to allow members to continue spending during the holidays, but asked them to closely monitor their accounts and let them know we were doing the same," said Hoppenstedt. "We also told them that if they were concerned or uneasy about the situation they could come in and do an instant issue."
Before letters reached cardholders, Bethpage, on the morning of Dec. 19, posted a message on the credit union's home page alerting members about the breach and that some debit cards in the portfolio were affected.
"Those members whose cards were affected also saw a message on home banking that their card was impacted and learned what the credit union would be doing," said Shanta Sewnarain, AVP of operations and risk.
Overall, Bethpage's approach kept member confidence in the CU high, said Sewnarain. "A member who works in the financial services industry sent the credit union a great letter. She said, 'Bethpage is one of the best... I would never think of switching... I just want to say thank you for being so proactive.' "
Hoppenstedt added that data breaches can swing member opinion of the credit union in good or bad directions. If handled poorly, confidence will fall and members will cancel cards. If the credit union moves quickly, does its best to minimize service disruption and lets members know the CU has control of the problem, it can build loyalty.
"All I can say is that I know a lot of financial institutions were scrambling on Thursday, and some had to wait even a few more days for lists of compromised cards from Visa and MasterCard," said Hoppenstedt. "On Wednesday we had a plan and were executing it."
