On September 8, 2014, Home Depot confirmed in a press release that its payment data systems have been breached, potentially affecting its nearly 2,200 U.S. and Canadian stores. Home Depot’s investigation is focusing on a timeframe from April 2014 forward.
According to Home Depot, the at-risk information includes full track data. PIN block data is NOT believed to be at risk at this time, nor is any information from its e-commerce site.
Visa began distributing at-risk accounts to issuers based on preliminary information provided by Home Depot as early as September 9, 2014.
The criminals apparently had enough information to get some banks to reset customers’ PINs. Banks are reporting that thieves were able to change the PINs on the cards using the banks’ automated IVR systems. Issuers have reported PIN debit fraud at ATMs in Canada. Additionally, some consumers have reported receiving spam emails phishing for personal financial data in conjunction with the breach.
The Community Bankers Association of Illinois (“CBAI”) and the Independent Community Bankers of America (“ICBA”) have informed lawmakers that the costs of reissuing cards should ultimately be borne by the party that experiences the breach.
CBAI and ICBA Recommends the Following to Community Banks and Customers:
- When a community bank is contacted for a PIN reset or change request, implement a stronger authentication process by requiring the cardholder to accurately supply all necessary information before processing the request. Consider asking for the last financial transaction the customer conducted and/or the name, if any, of a joint customer on the account.
- Consider instituting a “call back customers” process for PIN change and PIN reset requests to ensure such requests are valid.
- Advise customers to review account activity frequently—either online or over the phone—and immediately report any suspicious card activity back to the bank.
- Consider putting a section on your bank’s website with suggestions on ways that customers can protect themselves against a breach. Updating customers on the status of any current breaches could also be placed here. Providing information in an easily accessible location helps your customers find the appropriate information quickly, reducing confusion and phone calls to the bank.
Additional information and resources on how community banks can deal with this and other data breaches are available on ICBA’s comprehensive resource called The ICBA Toolkit on Maintaining Consumer Confidence During a Data Security Breach. See Toolkit.
New Initiative Seeks to Promote Executive Leadership of Cybersecurity Management
The increase in frequency and sophistication of cyber-attacks directed at financial institutions in recent years is requiring a shift in thinking on the part of community bank CEOs that cybersecurity is not simply an IT issue, but an executive level issue for the board room, senior executives and the CEO.
This is the core message of an initiative launched recently by the Conference of State Bank Supervisors (“CSBS”) called “Executive Leadership of Cybersecurity.” The goal is to promote and encourage community bank CEOs and senior executives to actively engage in the management of cybersecurity risks at their institutions.
“Executive leadership is critical to ensure sufficient resources and attention is paid to emerging cybersecurity threats,” said CSBS President and CEO John W. Ryan. “Ensuring that a financial institution’s defenses are able to protect against cyber-attacks is critical; not only to the bank, but for the bank’s customers and the sector as a whole.”
The Executive Leadership of Cybersecurity (“ELOC”) initiative doesn’t simply tell bank CEOs they should get involved in the cybersecurity management of their banks. The ELOC also shows bank CEOs how to get involved and what questions to ask their IT staff.
“ELOC encourages CEO engagement by bringing together current best practices and fundamental information on cybersecurity that is tailored for the bank CEO and by presenting it in a non-technical and easily understandable way,” Ryan said. “This information is culled from credible resources, such as the Federal Financial Institutions Examinations Council, the U.S. Department of Homeland Security, and the U.S. Secret Service, to name a few.”
Each week, for the next two months, new content will be published on the ELOC website that focuses on different cybersecurity topics, including the risk management process, incident response plans, the types of cyber-attacks, and much more.
To learn more about the Executive Leadership of Cybersecurity initiative and sign up to receive a cybersecurity 101 resource guide including content designed exclusively for bank senior management, Click Here.