WASHINGTON (11/10/14)--It wasn't only payment data that cybercriminals ripped off of consumers during the Home Depot breach in September. The home improvement mega retailer announced last week that hackers also stole 53 million email addresses when they broke into its payments system (Housingwire.com Nov. 7).
Home Depot said the criminals used a third-party vendor's user name and password to "enter the perimeter" of the retailer's payment network, according to Housingwire, allowing them to navigate sensitive portions of the network and deploy "unique, custom-built malware" on Home Depot's self-checkout systems.
"The company is notifying affected customers in the U.S. and Canada," Home Depot said in a press release. "Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails."
The breach led to more than 56 million credit and debit cards being compromised nationwide, including about 7.2 million cards issued by credit unions. Last week, the Credit Union National Association released the results of a survey it completed on the effects of the Home Depot breach and found that credit unions, so far, are on the hook for nearly $60 million in costs as a direct result of the incident.
That total includes the cost of reissuing cards, which CUNA estimates costs credit unions $8.02 a piece, and accounts for fraud and additional staff time to notify members and monitor accounts.
CUNA continues to lobby federal lawmakers to pass legislation that would require merchants to adhere to the same strict payment data security standards that financial institutions are required to meet.
The nation's largest credit union trade group also recently launched the website www.StopTheDataBreaches.com as part of its campaign to raise awareness about this issue.
Putting a face to just how burdensome these incidents can be for credit unions, Columbus Business First ran a story last week about the steps individual credit unions have had to take in the aftermath of the breach.
KEMBA Financial CU, Gahanna, Ohio, for example, had staff members pouring over thousands of transactions to find out how many of its 78,000 members had shopped at Home Depot between April and September, when the breach occurred.
"We learned about the breach as everyone did and pulled together the disaster recovery team," Gretchen Bartholomew, director of operations for the $845 million-asset credit union, told Columbus Business First (Nov. 7). "We very swiftly, within 24 hours, assessed the depth of the breach."
More than 12,000 members were at risk, the credit union discovered, and to reissue credit and debit cards to all affected members cost KEMBA about $73,000.
And with Ohio's credit unions getting hit with $1.3 million in costs to reissue cards and cover fraudulent charges after the breach overall, KEMBA's situation is certainly not uncommon.
"It's a substantial cost that doesn't need to exist," Bill Hampel, CUNA chief policy officer/chief economist, told Columbus Business First. "It's a waste of plastic. Other cards were totally functional, but the data was compromised. And it's a real pain in the neck for consumers."
Use the resource link to access CUNA's "Stop the Breaches" website.