President’s Perspective

Revealing the Target Breach Costs

Merchants must become more accountable for security breach costs.

March 1, 2014
Since news of the target breach surfaced this past December, CUNA has focused on answering three key questions:
  1. What’s the cost of the security lapse to credit unions and their members?
  2. Can we help the public understand that credit unions and their members—not the retailers— bear those costs?
  3. Can we convince Congress to look into the breach—and consider some changes to current law to place more responsibility on merchants for covering the costs?
During the past two months, we’ve concentrated on these questions—and answered them. Call this Phase I.
Shortly after we learned of the Target breach and its massive impact on consumers, we knew we’d have to gather information from our members about the costs of the breach. We would need this to answer questions that lawmakers, regulators, the media, and others would surely ask about how the breach affected credit unions.
We developed an online survey for our members, and collected data. After submissions from nearly 1,000 credit unions, we could draw some conclusions:
  • The breach cost credit unions between $25 million and $30 million— a range that likely will rise as more information flows in, and as any incidence of fraud becomes apparent;
  • About 77% of credit unions with members affected by the breach replaced the cards outright (the largest single cost to credit unions).
  • About 4.6 million credit union cards were “affected” (meaning the credit union was notified that the card had been compromised). Of these, we estimated four million had been reissued.
We knew we also had an obligation to show the public—primarily through the media—that credit unions were bearing the costs of this massive data breach, and not retailers. We sent out a press release with our findings.
Media response was swift . The Associated Press widely reported our survey along with Capitol Hill publications, such as The Hill and Politico (exposing members of Congress and their staffs to our message that credit unions bear the costs—not Target).
The Wall Street Journal’s “Moneybeat” blog pointed out that CUNA’s cost tally “is one of the first to identify the hit to financial institutions from the breach.” The blog also highlighted that credit union members, as owners of their cooperative financial institutions, ultimately bear the costs.
We called on Congress to hold hearings on the breach and its impact (in fact, we were among the first trade groups—if not the first—to call on Congress to hold hearings on data security). We urged lawmakers to hold merchants responsible for the costs their actions impose on others, including credit unions.
By early February, Congress held four hearings on the issue.
We have more to do. So now, we’re in Phase II. We’re helping credit unions find expert legal counsel who can represent them in court, if necessary.
And we’re urging Congress to take a long look at these breaches. The more lawmakers know, the more they can appreciate the imbalance in current regulations. They’ll better understand that merchant data breaches occur because the law and the incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable.
In fact, these points were front and center during the 2014 CUNA Governmental Affairs Conference in Washington, D.C.
Last November, a data breach of this size and scope seemed out of the question. But let no one question our resolve in working on credit unions’ behalf to stop future breaches.