Bethpage Federal Credit Union on Tuesday said personal information from 86,000 of its members' Visa debit card accounts had been accidentally exposed on the Internet by an employee.
The New York credit union said on May 3 an employee posted data on a file transfer protocol site that the employee believed to be secure. But later found the data could be accessed through search engines and it removed the data on June 3 — one month later — once it became aware of the breach. It sent out e-mails on Monday informing members who were affected and notified the National Credit Union Administration.
The credit union said the breach came as it transitioned from Visa to MasterCard debit cards. It said it has accelerated the transition and plans to replace the Visa cards within several weeks.
Credit union officials said there has been no fraud detected on the cards yet.
Data posted on the site for consumer Visa debit cards includes names, addresses, birth dates, and card expiration dates, as well as checking and savings account numbers.
It did not include Social Security numbers, personal identification numbers or CVV codes, the number on the back of cards used for remote transactions.
The credit union found out about the breach about a week ago when a member contacted it, saying the data came up during a Google search.
The credit union hired two security firms, Fishnet and Coalfire, which monitored access to the files.
The credit union informed members after the firms indicated data had been accessed by users, although the credit union said there was no evidence of any theft.
Bethpage urged members to take additional precautionary steps to further protect themselves, including reviewing account statements or online history regularly, remaining vigilant over the next 12 to 24 months, and immediately reporting any suspicious activity to the credit union.
Bethpage is offering affected members a year of free credit monitoring by Experian.
