Data Security: Plan for the Worst Scenario

Response time, staffing, and planning help prevent and minimize damage from data security breaches.

December 1, 2010

Credit and debit cards pose the biggest threats to members’ data, say credit union leaders. Security breaches at merchants, in particular, leave the data critically vulnerable. And new fraud rings in foreign countries are a growing problem.

Procedures must be ready to swing into action immediately if a breach occurs, CEOs agree.

Response time is critical

The Golden 1 Credit Union, Sacramento, Calif., with $7 billion in assets, had cards compromised during two high-profile data security breaches—at TJX Cos. in 2007 and at Heartland Payment Systems in 2008, when more than 100 million total accounts were compromised.

“Some of the cards were used fraudulently, and we learned that once fraud occurs, it comes in masses. Your window of opportunity to act is very short,” says Donna Bland, president/CEO. “Criminals usually strike quickly with high-dollar-amount transactions.”

The credit union had to immediately notify members whose account information was compromised and replace their cards, to minimize losses and provide seamless service. Golden 1 now has letters prepared in advance; along with staff call scripts and Q&A documents. “We pull them off the shelf and refresh them periodically,” says Scott Ingram, vice president of marketing.

Response time is critical, Bland emphasizes. “You can’t start drafting member letters when they begin calling to ask what’s happening with their accounts.”

Golden 1 has a loss-prevention department to scrutinize operations and stay abreast of fraud trends and new prevention tools. “We monitor card-use trends, both internally and through a third party,” says Bland. “We look for transactions over a certain dollar amount happening within several minutes in different parts of the country. We can also tell if a card is present during a transaction. These things help us know if further investigation is warranted.”

The credit union had an internal compromise more than 10 years ago, when an employee stole member data. Golden 1 identified and prosecuted that employee and redoubled its internal controls. “We asked Fiserv to develop a way to mask confidential member information in our database, so only employees who need to see that information can,” Bland says.

Other measures include:

  • Employees need security badges to enter the building;
  • Access to different departments is “role-based”—employees can only enter sensitive areas as their roles dictate.
  • The credit union collects driver’s license information on all visitors, who must also wear badges and be accompanied by an employee at all times.

Other precautions are simple but effective, says Bland. “We disable fax machines and lock up loan files after hours, and our security staff double-checks that information hasn’t been left out.”

Security starts with staffing

Premier Credit Union, Palatine, Ill., with $139 million in assets, had accounts affected by the highly organized September 2010 breach at Aldi grocery stores in 11 states. Criminals hacked into personal identification number payment pads and captured cardholders’ data.

“We could have been hit harder, but our IT [information technology] guy was on top of it and got some transactions reversed,” says Jim Roche, president/CEO. “We closed accounts that had been compromised and reissued them. We don’t know if they actually would have been affected, but whenever Visa or our processor tells us they’ve possibly been compromised, we close the accounts.

“We learned you have to continue to be vigilant. Thieves are always coming up with new methods,” he says, and the credit union must continue to add more robust levels of security.

Premier has all the measures in place that CUNA Mutual Group recommends for preventing breaches—from systems that verify card expiration dates and other account data during transaction authorizations, to software that analyzes cardholders’ transaction behavior and generates alerts for anomalies.

Premier hasn’t had any internal breaches, but Roche knows it’s always a possibility. “Our tellers see member information all day long, and if they wanted to take an individual’s information, they could. We do have programs in place that wouldn’t let them copy over an entire list of members.”

Internal security begins with staffing, he says. “We do background checks and credit checks on potential staff and check employees’ credit if they apply for loans. If they’re in bad shape, we try to watch them a little more closely.”

The credit union’s policies require periodic outside audits of its internal controls. “We want our controls to be even tighter than what the National Credit Union Administration requires,” says Roche.

To stay current with security tools and techniques, the credit union’s IT manager attends seminars and brings in consultants as needed. “If he has a problem [he can’t know everything], he needs somewhere to turn,” says Roche.

Address future threats

Service Credit Union, Portsmouth, N.H., with $1.7 billion in assets, also had accounts compromised in the TJX breach. “Although we’d experienced this type of merchant compromise before, this time the magnitude was much larger,” says Gordon Simmons, president/CEO.

“We quickly developed custom software and automated processes to handle the timely notification and replacement of cards, which minimized the impact to members,” he says. The credit union also immediately implemented policies and procedures to address future high-level threats.

The credit union partners with RSA Security and SecureWorks to protect members’ information from both external scams and attempts to infiltrate its internal network and data.

“We also conduct quarterly external vulnerability testing and physical security reviews, in addition to annual internal risk assessments,” says Simmons. “We’ve hired an information security officer and we continue to require annual formal information and physical security training for all employees.”

A detailed information security program is part of Service Credit Union’s disaster recovery plan. “Our information security committee—composed of key senior management and technical officers—has clear, specific mandates to ensure our information security profile remains intact and fully operational,” he notes.

The complexity and sophistication of threats and exploits has ballooned over the past few years, says Simmons. “Gone are the days when a few amateur computer geeks hijacked websites just to be nuisances. The people now involved are experts in computer technology. They’re often professional criminals operating in foreign countries, where they’re virtually immune from detection and local law enforcement.”

Still, credit unions can fight back. “Being prepared for a potential security attack requires proactively having the controls, training, a detailed information security program, and multilayered security in place to make it as difficult as possible for the hackers,” he says. “When a suspected data leak or breach does occur, having the team—in our case the information security committee—already identified is key to quickly assess the situation and begin remediation procedures.”