Ohio CUs, Banks Hit By Debit Card Data Breach; Source Still Unknown
COLUMBUS, Ohio-Five credit unions in Northeast Ohio have become victims of a significant data breach that began in April and which has also affected at least eight area banks.
Authorities believe the card information was stolen from a single source then used to create counterfeit debit cards which are being used in the fraudulent transactions. At press time the source of the breach had not been identified.
The breach reportedly has affected Cleveland-based Century Federal Credit Union, Parma-based PSE Credit Union, Cleveland-based Steel Valley FCU, Akron's GenFed CU and Firefighters Community CU in Cleveland. Reports indicate that anywhere from two to several hundred members have been affected at the various credit unions.
Century FCU reportedly has been the credit union most greatly affected, where as many as 200 members may have been victims of the data breach. One police report noted a line through the lobby and out the door as members reported fraudulent activity. The fraud and the resulting response has received local press coverage, including in the Cleveland Plain Dealer.
According to reports released from the North Olmsted, Ohio Police Department, tens of thousands of dollars were spent at stores that included Giant Eagle, Target, Party City and liquor stores. The charges occurred not just in Ohio, but in California, Illinois, Alabama and more.
CEO Disputes News Report
The Plain Dealer reported two additional credit unions as being victims of the breach, but for his part, Best Reward CU CEO John Shirilla said that his institution has not been affected by the breach. He said perhaps a merchant may have, leading to a Best Reward member being affected. He first heard his CU's name mentioned in the case in a Plain Dealer article.
The fraudulent actions took place largely in May, much of it around Memorial Day weekend. Credit Union Journal reached out to several other CUs affected but received either no comment or calls were not returned before press time. The Electronic Crimes Task Force of the Secret Service is reported to be leading the investigation.
Patrick Harris, director of media relations at the Ohio Credit Union League, said that the OCUL does not yet know the total number of members affected and has not yet heard directly from all of the credit unions involved.
"I'm not sure if they have a full understanding of everybody affected," said Harris, adding that "right now they're still in containment mode."
The total amount of fraudulent activity is estimated to be in the tens of thousands of dollars, though it is unknown at this point how much each credit union was bilked. Harris noted that a similar data breach more than three years ago affected more than a dozen CUs in the state, although "it didn't amount to any actual lost membership dollars."
As part of the proposed legislation in Congress related to such breaches, NAFCU has been urging lawmakers to include provisions that would require the source of the breached data to pay resolution costs, such as card replacement and cardholder notification; set national standards for safekeeping of information; public disclosure of where the breach occurs; and strict enforcement of the existing prohibition on data retention.