It's the most wonderful time of the year — unless you're paying with plastic, in which case this holiday season might be a little scarier than in years past.
The biggest financial story of 2014 didn't actually begin this year. One week before Christmas 2013, news broke that Target Corp. was the victim of a massive data breach, with 40 million customers' credit and debit cards exposed.
Since then, retailers including Home Depot, Jimmy John's, Bebe and many others have been hit, along with a massive attack on Apple's iCloud during the summer, which exposed thousands of users' private information, along with compromising photos of celebrities such as Jennifer Lawrence and Kate Upton.
"We had heard of breaches before, but not necessarily [at merchants] as big and as popular as Target," said Nicole Reyes, senior fraud prevention analyst at The Members Group. "I think that made the merchants realize that if this can happen to them — who probably have put in the money around beefing up their encryption — then it can happen to me. It was an eye-opener for the merchants."
But, Reyes added, the breaches had a similar impact on consumers, who she said weren't really engaged with the issue until Target was hit.
"Before that, being a consumer you might have had a credit card for the last 10 years and not been compromised or didn't know you were compromised," she said. "I think it really opened it up for the consumer when Target happened — not only that this can happen anywhere, but this can happen to me."
It most certainly can happen to consumers, and CU have found themselves on the hook for more than $90 million in member losses as a result of data breaches at Target and Home Depot alone, according to data from CUNA.
And industry experts don't expect it to get any better anytime soon.
"Credit unions are very aware of what's going on and looking for ways to mitigate potential losses," said Mike Hoover, a staff underwriting specialist in CUNA Mutual Group's credit union protection area. "What we're seeing is that as frauds occur and you shut off one avenue, the people committing these actions are very smart people, so they find another avenue to commit the fraud."
Hoover's colleague at CUNA Mutual, Jim Hunt, emphasized that one of the major takeaways from this year is that anyone can be a victim.
"I don't think there's anybody who's secure enough," Hunt said, noting that even the White House was hacked this year. "I would never point a finger at a credit union and say they aren't secure enough. There are some who need to have more security, but I think the majority of credit unions are working very hard to be as secure as possible — but that doesn't mean you can't still be hacked."
And that applies to credit unions as well as retailers, emphasized Andrew Tilbury, chief marketing officer at Bluepoint Solutions.
"CEOs are on notice that if they fail to respect safeguarding their members' information, it could have disastrous impacts on their reputation, their career and the reputation of their credit union," Tilbury said.
No Better, No Worse
Some industry experts and insiders say that despite all the recent high-profile hacks and threats, most institutions aren't any better off than they were this time last year.
"We are no more or less secure than we were 12 months ago, but merchants like Target and Home Depot have been exposed for lacking in security," said Steve Ruwe, chief risk officer at PSCU, who leads the CUSO's risk analytics team. "But I think those with vulnerabilities have been exposed this year."
Jake Olcott, a principal with Good Harbor Security Risk Management LLC, noted that the risk was always there, people just weren't paying attention to it.
"Now that people are paying attention to it, they are starting to enhance their cyber security programs through strategic and technological acquisitions," Olcott said. "That is opening a lot of eyes for people who previously weren't really engaged in this.... Now everybody knows it's a problem and everybody is engaged in it, but it's definitely going to take a lot of time to get things to where everybody wants them to be."
The bigger problem for merchants and financial institutions, according to Colin Hite, a partner with the Insurance Recovery Group at Hirschler Fleischer in Richmond, Va., is that "there's a myriad of ways you can be breached," whether that's hackers getting into systems or a rogue employee.
And there's also the risk of third-party error. Target's breach was the result of weaknesses on behalf of its HVAC vendor, which ultimately enabled hackers to gain access to the company's POS terminals.
Bluepoint's Tilbury noted that one factor that made the Target breach such a big story wasn't just the retailer's high profile, but the timing — dead center between Black Friday and Christmas. So now that the 2014 holiday shopping season is almost in the books, what can credit unions do to protect themselves and their members?
"If they haven't done something by now, it's too late," said Tilbury. Much of the problem, he explained, is that many of the vulnerabilities happen at the point of purchase, which is out of the control of credit unions. "Obviously in terms of safeguarding their own information, [credit unions] can do a lot, but in terms of somehow protecting a transaction that happens at a second party, I don't know how much they can do."
Watching for Patterns
Hite advises CUs to take many of the same actions as retailers, and that starts with watching for patterns that can alert them to red flags.
"If the credit union is getting calls that you see an uptick in consumers calling and claiming there are fraudulent charges, that's a red flag that you may have a breach," he said.
Credit unions have responded to the Year of the Breach in different ways. Speaking to CU Journal earlier this year, Michael Poulos, CEO at 99,000-member Michigan First CU, noted that his CU ran transaction analyses to determine which members shopped at Target during the time the breach was occurring — a total of about 1,500 members split between 1,000 using debit and 500 using credit.
Rather than immediately shut down affected cards, Michigan First coordinated with individual members on a reissuance strategy that worked for them. It also reached out via phone, e-mail and letters to alert members to the problem before news of the breach came out, offering them the option to replace their cards, though not all members felt they needed to replace their cards.
All told, the CU spent more than $25,000 to correct the situation. Though Michigan First re-issued all cards as mag stripes, it accelerated EMV as a long-range item for the credit union.
On the other hand, at San Francisco Police CU, CEO Eddie Young said that while the breach didn't impact the institution's decision to roll out EMV, it did "push this subject matter into the forefront. Our members have an expectation of us to provide them with the most secure form of transacting, so this was a very simple decision on our part."
SF Police introduced EMV credit earlier this fall, with debit expected to follow in the new year once the CU's cards processor has that functionality in place.
"Maybe we've been fortunate that when these cards are compromised, sometimes the perpetrators may not use these account numbers until a later date," observed Young. "But the impact to us in terms of transactions or fraudulent transactions could be worse — I think we've been very fortunate."
That's not to say that the CU hasn't incurred costs as a result of the "Year of the Data Breach." SF Police has a policy of immediately reissuing cards after they are breached so that the affected card can no longer be used — and the CU issued a lot of new plastic following the Target Breach.
Vendors and service organizations have also been impacted.
PSCU's Ruwe noted that the CUSO has increased its staff by 20% just with employees dedicated to fraud prevention and assisting members over the phone. PSCU has also found itself reissuing more cards, not just as part of the normal reissuance cycle, but as CUs determine that reissuing plastic is the best way to combat data breaches and make members feel more secure.
Yesterday Target, Tomorrow the World
Responses varied when asked what further fallout should be expected in the wake of the Year of the Breach, but nearly all sources agreed that one thing is for sure: the breaches aren't over yet.
"I just don't really see the momentum letting up any time soon in terms of merchant breaches," said TMG's Reyes, who predicted that merchant breaches may even be the trend until a few years after EMV is fully implemented stateside. Because even as the biggest merchants make the switch, she said, there will be plenty of smaller, independent retailers that lag behind and will be susceptible. "2015 might also be 'Year Two of the Data Breach.'"
CUNA Mutual's Mike Hoover cautioned that EMV won't permanently solve the fraud problem.
"As we get one thing in place, the key is staying ahead of where [fraudsters] are going next and being vigilant and monitoring what's going on," he said. "Because you'll get the EMV cards and your card-present fraud is going to drop, but the next spot to look is going to be card-not-present fraud. It's about being vigilant and trying to stay ahead. They're not going to stop; they're just going to keep moving."
