Hackers are getting more sophisticated when it comes to stealing consumer financial data. Instead of going through the front "technology" door at financial institutions, where CUs have stronger information security programs in place, they're taking the side door — through retail chains and third-party vendors.
News headlines paint a grim portrait of these escalating side door threats: attacks at retail chains — Target, Home Depot, and Dairy Queen are but a few — prompted many security experts to name 2014 the "Year of the Retailer Data Breach." In many of these events, hackers are able to steal valuable financial data by penetrating weak points in retailers' payment card systems and vendor security. Then, they often sell the data on the black market Internet, putting victims at risk of identity theft and other fraud.
There's no sign of a slowdown, either. Data breaches rose by 27.5 percent from 2013 to 2014, according to the Identity Theft Resource Center, and more than 675 million records have been exposed in breaches since 2005. Because studies show that data breach victims are more likely to experience fraud, the numbers point to a growing need for CUs to take measures to protect themselves against increased fraud losses, plastic card reissuance costs and increased monitoring activities. CUs are also aiding members by helping them avoid costly expenses relating to restoring their identity.
Leaving CUs on the Hook
Hackers are targeting a widening scope of credentials in order to gain access to critical networks and systems, and the evidence shows that hackers are becoming more creative. In the Target breach, they penetrated security by using credentials stolen from an HVAC vendor. In the Home Depot breach, thieves installed malicious software on the home improvement chain's point-of-sale (POS) self-checkout machines. When customers swiped payment cards to pay for purchases, their data was stolen.
Although these data thefts are taking place through merchant systems, financial institutions are on the hook. Retailers and third-party vendors are the weak link in the information security chain. Hackers know that merchant security controls are not at the same level as those of a financial institution. They can penetrate their systems and get to the information they're hoping to get from a financial institution: Social Security numbers, card account data, access credentials, and more.
Financial institutions of all sizes are vulnerable to the indirect access of customer data, no matter how strong their internal controls are. In September 2014, VyStar Credit Union along with many other financial institutions, had to deal with the consequences of a major retailer's data breach of credit and debit card information. In its announcement, VyStar explained that the breach did not happen at VyStar's systems or networks, but at those of a major retailer's. This was an important distinction to make because many consumers believe breaches of this sort take place at their credit union or bank. VyStar spends a considerable amount of time and effort to make sure members understand that the CU does all it can to protect their information as well as provide consumer education on what they can also do to protect their identity. The announcement was necessary and other CUs should consider adopting a similar process.
Still, the soft and hard costs that must be absorbed by financial institutions are staggering. They include maintaining the staff and the technical hardware and software to continually protect and monitor systems as well as the cost of reissuing the plastic cards that were involved in the merchant's compromise.
Regulatory changes are on the horizon. Congress has passed legislation that goes into effect in October 2015. That legislation will hold retailers more accountable for data privacy. New cards with EMV chip technology will be issued, and retailers are required to change their POS devices to accept the cards. If they don't, the liability for loss will shift to the merchant.
Protecting CUs and Members
In order to protect members, credit unions must do all they can to secure systems and data. We suggest employing multiple layers of technical controls to deter hackers from gaining access into critical networks and systems. Also, CUs should have in place several monitoring controls so that attempted break-ins can be detected quickly and prevented.
Since many of the hacking successes are not direct attacks on the systems, a savvy credit union will build a risk management process that includes every touch point in the organization's data stream. For example, conduct third-party vendor due diligence to understand what level of information security controls each supplier has. This allows CUs to identify weaknesses and find ways to fix the vulnerability.
Education is also a large part of VyStar's prevention strategy. Credit unions should conduct educational training regularly with employees, and also offer training to members to help them protect their data. Information security awareness training is critical to the success of your overall information security plan.
Credit unions should be doing all they can to maintain their reputation for having strong security controls.
Credit unions are under pressure by their members to ensure the safety of their data and their money. By acting vigilantly and increasing security awareness, credit unions can help reduce financial losses, better educate the consumer and help members understand how to protect themselves.
Matt Cullina is CEO of IDT911. Vicki Adams is Chief Risk Officer of VyStar Credit Union.