Unlike the data breach that hit Target in 2013, analysts say the Equifax breach was monumentally perplexing because the company’s mission is to protect its 143 million clients’ data – many of whom are or were credit union members.
“If a company that manages the most sensitive financial information belonging to a majority of the people in this country isn’t implementing careful security measures and patching known vulnerabilities, it is a strong indicator that security is clearly not a high priority for companies until after a breach occurs,” said Henry Carter, assistant professor in the Computing Sciences Department at Villanova University.
Carter explained that the attackers exploited a breach in a web application tool that was known to exist in March, but “for some reason” remained un-patched for several months. Making matters worse, Equifax knew about the breach for more than six weeks before making a public announcement. The company’s CEO, Richard Smith, has since stepped down.
Mountain America gets proactive
Prior to the Equifax breach, Mountain America Credit Union took in-house proactive measures to protect its 680,000 members, including ID protection service, alerts, code words and mobile solutions.
“As long as we live in a world where stolen information is profitable to hackers, we will have to continuously improve our security measures,” said Tony Rasmussen, VP of public relations and financial education at Mountain America. “As an industry, we can neither control nor predict the next breach, so it makes sense to invest in a variety of innovative solutions that give members more control as well as peace of mind.”
While Rasmussen added that it is too soon to tell how this breach will ultimately affect MACU or its members, he said: “Our best course of action in the immediate future is to help members safeguard themselves and their information from fraud and identity theft through education and helping them take extra security measures.”
The $6.8 billion MACU counts roughly 40 percent of its membership as active mobile users and 30 percent of members are active online banking/PC users. Among in-house initiatives to protect members is the credit union’s “Card Manager” mobile service, which allows the member “to do so much more than close or freeze a potentially lost card in seconds,” noted Rasmussen.
“It puts 24/7 control in members’ hands to do a wide variety of features, including new card activation and PIN setting, lost/stolen card cancellations, card replacement orders, travel notifications and more,” he said. “If a member receives an alert for an unfamiliar transaction, Card Manager allows her to shut off any further card activity until she can verify whether that transaction was fraudulent or not.”
Villanova’s Carter said proactive measures like those undertaken by Mountain America are critical to member security because call, text and email scams from attackers posing as financial institutions or government agencies are increasingly hard to identify.
“There is no cure-all information-security solution for any company. However, one of the largest contributors to the widespread lack of security is that, for most companies, it is not profitable in any way,” said Carter. “Adding extra security does not increase revenue, so it is often minimized until something like the Equifax breach happens.”
In an effort to ensure member data is secure, MACU also invests in employee programs, from in-person training for new hires to on-going training for tenured staff.
“We have internal resources like our online Mountain America University and Knowledge Center, where employees can access training courses and reference guides,” said Rasmussen. “We host frequent branch manager and assistant branch manager meetings, where they gather face-to-face to talk about ideas, issues, best practices and more.”
The education doesn’t end with employees. MACU has specially trained employees – Tech Champions – staffed in braches to demonstrate a variety of mobile banking tools and innovations, such as photo balance transfers, instant loan approval and funding, Card Manager and biometric logins.
“They are also able to assist members wanting to set up alerts, notifications, code words or sign up for ID protection services,” said Rasmussen. “Our call center is staffed with special technology experts as well.”
Avoiding breach pitfalls
For credit unions looking at developing in-house data security solutions, Carter said one of the biggest mistakes an organization can make is making IT departments “entirely responsible” for managing security.
“While IT has expertise in the technical aspects of an enterprise system, they do not have a complete knowledge of the risks to the business overall,” said Carter. “Collaboration with the IT department in assessing where the greatest risks are and what data should be protected with the strongest controls will help ensure that more attention is paid to protecting the greatest risks within a company.”
MACU also partners with the ID theft and protection company, Deluxe Provent, which provides paid ID protection services. Members can opt to pay a small monthly fee for “some extra peace of mind,” said Rasmussen.
“The basic level scans the Internet for credit and non-credit information in black market chat rooms that sell identifying information and will help restore a member’s identity if they become a victim of identity theft,” he explained. “The premium service monitors public record databases and the three major credit bureaus for personal information that may appear in court records, address or name change requests, sex offender registries and payday loan applications in connection with identity theft and fraud.”