How fitting is it that the company at the center of the most recent data breach is called "Target?" Because that's what every retailer, financial institution and consumer is when it comes to thieves and your data.
But while precautions are obviously necessary on the parts of all three constituencies, the big news around big breaches such as that at Target can also lead credit unions to overreact, according to one person, who is offering some perspective as those big numbers are being tossed around.
You already know the Target story. The Minneapolis-based retail chain said an unknown group or groups of hackers had penetrated two of its computer systems beginning on Nov. 29 (bringing a new definition to Black Friday) and continued until Dec. 15, gaining access to up to 70 million accounts.
For companies that process transactions and cards for credit unions, such as CSCU, CO-OP, TMG and PSCU, the breaches and resulting fraud attempts only emphasize the need for around-the-clock vigilance.
Better Have A Plan
"I can't say that the
Ruwe said PSCU began seeing "odd transaction trends" in its data even before Target announced the breach. "We just didn't know who it was. There have been compromises in the past where the merchant is never identified and you can do regression analysis and see the fraud occurring. Target was different in that they came right out and said 'we have a problem.'"
Indeed, while Target went public many merchants never do. At the same time Target was being targeted, it is believed at least three other U.S. retailers were also being hit.
PSCU, like other processors, is constantly monitoring its 16 million accounts for fraudulent activity, noted Ruwe. It does portfolio analysis at the regional and individual CU level, as well, with Ruwe noting the
"After Target announced the next big step in the chain is to identify the affected accounts in our system," Ruwe said. "Because they were able to define the range of dates of the exposure, it made it pretty easy to do that. We tagged those accounts immediately and gave those accounts a special strategy. That's pretty common. What makes us unique is how we do it."
What also makes PSCU's approach unique, said Ruwe, is that in the wake of a breach it does not immediately move to a default position of "block and reissue."
"PSCU has taken the philosophy that you don't need to reissue every card right away," he said. "We believe our system is strong enough to manage fraud. Typically, at the end of the day it's a pretty small percentage of accounts that are affected. In the T.J. Maxx breach, for instance, it was something like 3.5% of accounts. To reissue cards to your entire card base can be pretty disruptive.
He said PSCU member CUs, on average, see about one-half the average losses from fraud as do other financial institutions.
Despite the cost, often an FI will reissue cards to its entire base to restore confidence (perhaps as much for itself as its own members/customers). That's low-risk in cases such as the Target breach, when an FI can point to a specific company as the reason. But as one person once told me, in cases where no merchant assumes responsibility, then the member believes the problem and risk must lie with their credit union.
According to Ruwe, about 15% of PSCU's member CUs have reissued cards following Target's announcement. But in reality it has only seen about 3,000 accounts where fraud took place out of 650,000 total cards. PSCU is reporting that it has declined in excess of $5 million in fraud following the breach, meaning no loss to the issuer.
The Target breach has renewed talk of pushing up the 2015 deadline to eliminate mag-stripe cards in the U.S. in favor of the EMV standard, which is considered more secure but is also not foolproof. "EMV is going to help," said Ruwe, "but until all the entities involved harden their environments, we're going to continue to have problems."
Hard To Sleep
In recent weeks there have been quotes too-frequent-to-count from analysts saying the Target breach is a "real wake-up call." Frankly, there have been so many wake-up calls I find it hard to believe anyone ever goes to sleep. In October 2013 Adobe Systems reported a hack involving 130 million accounts. There was that T.J. Maxx breach and a 2011 breach at Sony that involved 77 million people.
Are consumers just becoming blasé about the risks, assuming it's just the price that comes with the convenience?
"I don't think people are that pragmatic about it," responded Ruwe. "I think they are much more sensitive to their debit cards and see it as the channel to their own assets, versus a loan balance on a credit card. They are much more concerned with the debit card."
Frank J. Diekmann can be reached at
