3 minutes
From our sponsor
In 2013, the financial industry had the second highest per capita data breach cost and racked up more than $11.3 billion in card fraud expenses. What’s driving these breaches?
Two Major Categories: Payment Card and Cyber Breaches
Although both types of breaches are time-consuming and expensive to resolve, there are some critical differences between them.
Payment Card Breaches
This is defined as a compromise of the payment card data and is the type of breach that’s made the news with depressing regularity over the past 12 months. The uptick in attacks started with Target in late 2013 and since that time has included Home Depot, Neiman Marcus, and Supervalu, among many, many others.
The two most common methods of payment card data theft are skimming and database compromise.
Skimming occurs when the thief installs a card reader device on a point of sale terminal or ATM. When consumers use their cards, the skimming device reads and saves the magnetic stripe data. The thieves retrieve the information and, voila!, they’re ready to create a counterfeit card.
Historically, this type of skimming required a thief to physically affix a device to the POS or ATM terminal. Now clever thieves are doing it via Bluetooth and malware—which is how experts believe the 70 million+ Target thefts occurred.
Database compromise occurs in one of two ways: when a thief thwarts a merchant/third-party processor’s security tools or a merchant/third-party processor stores magnetic stripe data, which is subsequently stolen. This second method contributed to the TJ Maxx breach back in 2007. Although the card associations’ data security policies prohibit this data storage, not all merchants/processors follow their lead.
Cyber Breaches
A cyber breach involves the theft or loss of sensitive information or internal records. This could include everything from credit union financial data and personnel files to personally identifiable member data.
Common access points include:
The cloud—As the recent hacking of celebrity photos illustrates, the cloud is not as secure as we might like to think.
Public Wi-Fi—This can be a huge point of data vulnerability, especially in conjunction with the next item.
Personal mobile devices—Most companies let employees use their personal devices at work, but don’t necessarily have security protocols in place to make that a smart choice. Plus, although consumers may be relatively diligent when it comes to protecting their computers or laptops from spyware, viruses and malware, few take the same precautions with their phones and tablets.
Active employee theft—Much as we hate to admit it, a certain percentage of employees are active data thieves. Credit unions that don’t follow best practices in data protection could be vulnerable.
Human error and system problems—According to Symantec, a data security company, two-thirds of data breaches were caused by human error and system problems. Human errors could include transferring data outside the credit union or not deleting data on an appropriate schedule; system errors include inadvertent data dumps, errors in data transfer, and identity and authentication failures. Employees can also cause problems by clicking on malicious links that allow malware/spyware/viruses to enter the system.
Operating system “holes”—Most system patches resolve security issues. If you skip the update, your system is exposed.
Physical data theft—Although we tend to focus on electronic theft, paper data is also vulnerable.
Protect your credit union from data breaches: To learn how, contact your CUNA Mutual Group Sales Executive at 800.356.2644 for information about available risk management tools and cyber liability policies.
This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.
© CUNA Mutual Group, 2014 All Rights Reserved. 10005197-0914
