CLEVELAND – Credit unions and banks are once again struggling to plug a data breach that is siphoning tens of thousands of dollars from debit cards through purchases at local retailers.
The latest breach comes as Congress is making another try at data security legislation aimed at making the source of the breach more responsible for costs related to the resolution. In the latest effort the House Energy and Commerce Committee is proposing a bill that would require companies that are breached by hackers who steal consumer information to notify customers within 48 hours of assessing and identifying the intrusion.
The latest congressional initiative comes as dozens of credit unions and banks in Ohio are shutting down and replacing debit cards as holders are reporting fraudulent use. According to police reports, thieves went on spending sprees ranging from $600 to $4,000 at such retailers as Giant Eagle, Acme, Walmart, AutoZone and CVS, and in several communities. Fraudulent purchases on the cards are also being made elsewhere, from Georgia, New York and California to Australia, Germany and the Philippines.
Among the credit unions reporting the fraud are: Century FCU, First Class CU, Firefighters CU; PSE CU and Best Reward CU, as well as KeyBank, Dollar Bank, Fifth Third Bank, Huntington bank, Charter One, Ohio Savings and First Merit.
Authorities believe the card information was stolen from a single source then used to create counterfeit debit cards which are being used in the fraudulent transactions.
Coming on the heels of the nationwide breach at Michaels Stores, and data thefts at Citibank, and the International Monetary Fund, the latest incident has heightened concerns in concerns over data security in Congress, which has revisited the issue off and on over the past decade, only to be stymied by the huge lobbying battle between merchants and financial institutions.
As part of the proposed legislation NAFCU urged lawmakers to include provisions that would require the source of the breached data to pay resolution costs, such as card replacement and cardholder notification; set national standards for safekeeping of information; public disclosure of where the breach occurs; and strict enforcement of the existing prohibition on data retention.