Credit unions are on alert but also taking a wait-and-see approach following news that a gang of Russian hackers have amassed 1.2 billion sets of user names and passwords.

The biggest risks for CUs are likely to come from spamming and spear phishing, Jeff Johnson, senior vice president of information technology at Baxter CU in Vernon Hills, Ill., and a member of the executive committee for the CUNA Technology Council, said in an interview.

If the hackers have e-mail addresses, "they can start spearphishing our members or our employees to gain even further access," he said.

"So that's a point of attack I'd be worried about," Johnson said.

Another concern is the hackers' ability to use those e-mail address to send out botnets and using those botnets for malicious purposes, he said.

The pilfered records, associated with about 500 million unique e-mail addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information security and risk management services. The findings were based on seven months of research, though the company didn't give a time period for the theft or name any websites that were hacked.

The latest cache of user names and passwords was extracted from websites using a network of compromised computers known as a botnet, according to a statement from Hold Security.

The "list includes many leaders in virtually all industries across the world, as well as" small or personal websites, according to Hold Security.

But some are skeptical.

Although Hold Security said that the hackers gained access to the largest known cache of stolen personal information, not all the records were current and the company couldn't say if financial accounts were linked.

Also, user names and passwords are less valuable than credit card data and Social Security numbers, said Peter Toren, a partner in the Washington-based law firm Weisbrod Matteis & Copley Plc.

"People should step back and question what kind of accounts are we talking about," said Toren, who served as an attorney for the Department of Justice's computer crime and intellectual property section from 1992 to 1999. "Do I really care if they find out what kind of music I listen to?"

Robert Reh, chief information officer at Nassau Financial Federal Credit Union and also a member of the CUNA Technology Council's executive committee, expressed some skepticism about where the news of the breach was coming from.

Hold Security "sent this out obviously for their own reasons — to get interest in their services... And when they announced it they also announced that they would notify the websites that were affected by this that this info was gleaned from, but only if you sign up for their preach notification services that start at $120 per year," Reh said.

Unique Breach

This attack is a bit different than some of the other breaches seen in recent month such as those at Michaels Stores Inc. or Target Corp. because members haven't been directly targeted, Johnson said.

When retail shops are hit, for example, "we know the cards that have the potential to get fraudulently used in the future," he said.

"This is a little more generic, and I think this one's going to be a little bit more ‘connect the dots over time,' as opposed to you've got these 10,000 cards that we know were in the list of cards that were compromised," Johnson said.

Despite those concerns, however, Baxter isn't planning to take any immediate action beyond closely monitoring the situation, he said.

If Baxter begins to get questions from members — whether via its website, call center, e-mails or Facebook page — then it might change its strategy, Johnson said.

"When Heartbleed was all the rage in April we had enough calls that we posted stuff. Members appreciated that we came out and said we're aware of it and we don't' know of anything that's been compromised," Johnson said.

"As far as I know, we haven't had any calls or Facebook posts yet. We'll react in an appropriate way based upon the volume," Johnson said.

"On the other side, we'll monitor, talk to our peers, read [trade publications], and survey the landscape like we always do," he said. "I think if you've got good procedures and processes in place this is just another one in a series of breaches that you need to monitor."

Huge Haul

Serious criminals, often in Eastern Europe, steal payment card numbers. The theft of at least 40 million such numbers from Target last year was one of their biggest hauls.

The bigger threat is that the Russian hackers could use whatever information they obtain to build profiles of people, which can be sold on the underground Internet market or used to obtain fake driver licenses or passports, Toren said.

Despite concerns over the age of the data, where it came from and how useful it actually is, the threat should be taken seriously, he said.

This could, in fact, be another wake-up call for CUs, Reh said.

"This is not something new," he said. "You should already have [processes and procedures] in place for something like this... There are hackers out there that we need to be aware of and protect our institutions from."

The attack also raises the issue of password security, said Reh, who pointed out that though passwords aren't going away anytime soon, events such as this one, coupled with rapid advances in biometrics, indicate the need for stricter security protocols.

"Obviously technology has changed over the past few years with the introduction of smart phones and mobile devices, especially with cameras that can be used for facial recognition or fingerprints," he said.

Although widespread use of biometrics may still be a few years off, breaches such as this one can and should help push the use of that technology forward, Reh said.

Shadow Economy

"We have been collecting information to help our customers stay more secure," said Alex Holden, the founder and chief information security officer of Hold.

Security. "We found that it was such a great impact to society that we decided to make a public statement."

The hackers operated from central Russia near the border with Kazakhstan, Holden said.

He declined to provide exact details about their location or identities in order to not jeopardize potential law enforcement operations.

Although the claim by Holden has to be verified, the details and scope of the attack aren't surprising, according to JD Sherry, vice president for technology and solutions at security firm Tokyo-based Trend Micro Inc. (4704) in the United States.

"The Eastern European shadow economy is stocked with treasure troves of data as well as national security assets in the form of elite hackers," he wrote in an e-mail. "It is plausible that a single syndicate has cornered the market and compromised over a billion credentials over an extended period of time."

Small Fraction

Cybercrime costs as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a report published in June by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc. of Santa Clara, Calif.

Financial institutions and credit card companies are quick to cancel cards that they know are stolen, and they have developed advanced algorithms for detecting fraud before charges hit victims' accounts.

The hackers could rent their lists to spammers, though few people open spam e-mails or even see them anymore.

Effective filtering blocks 299 out of every 300 spam messages, according to The Spamhaus Project, an anti-spam nonprofit based in Geneva and London.

Bloomberg News contributed to this report

Subscribe Now

Authoritative analysis and perspective for every segment of the credit union industry

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.