Hampel, Dykstra highlight data breach damage to CUs in NYT

September 30, 2015

WASHINGTON (9/30/15)--Credit union officials explained the damage caused by data breaches, and how financial institutions seek redress from the retailers responsible for those breaches, in a New York Times article this week. CUNA Chief Policy Officer Bill Hampel and Diana Dykstra, president/CEO of the California and Nevada Credit Union Leagues, were both quoted in the article, highlighting credit union concerns with retailer data breaches.

The article begins with an online alert that stolen credit and debit card data from a Home Depot data breach would go on sale and addresses how quickly the information was purchased on the black market. All this happened without credit unions and other financial institutions being aware that Home Depot has suffered a breach.

“With the Home Depot data breach, we weren’t even told for days that it existed, that it had happened,” Dykstra said. “We didn’t know that the cards had been sold on the black market. It hit credit unions and small banks really hard.”

The article explains how, more than a year later, the “full tally of the Home Depot data breach remains unknown. Some estimate the fraudulent changes total well into the billions of dollars.”

CUNA’s research has indicated that credit unions alone faced nearly $60 million in costs related to 7.2 million compromised payment cards from the Home Depot breach.

For credit unions, who have much smaller asset levels than big banks, costs associated with data breaches can be very harmful.

“A $100,000 fraud loss to a large financial institution is nothing. But a lot of credit unions have annual net income that is less than $1 million,” Hampel told the Times. “If you take a couple of big fraud hits, that’s substantial for them.”

 CUNA is serving as a named plaintiff in a class action lawsuit against Home Depot. It has also urged legislators on Capitol Hill to pass sweeping data breach legislation that would create a national security and notification standard, as well as require entities that handle sensitive consumer data to have data security requirements similar to those required of financial institutions under the Gramm-Leach-Bliley Act.