Home Depot Breach Cost CUs $60 Million7.2 Million Credit Union Cards Affected
The fallout from the Home Depot data breach is starting to be felt by financial institutions. Credit unions have spent nearly $60 million to reissue cards, deal with fraud and cover other costs as a result of the breach, according to the Credit Union National Association.
See Also: Building the Modern SOC
CUNA, a national trade association for state and federally chartered credit unions, conducted a survey from Oct. 1 to Oct. 24 of credit unions to see how they were affected by the Home Depot breach, with 835 credit unions responding to the survey.
The survey found that, in addition to the total cost to cover expenses tied to the incident, the breach had an impact on 7.2 million credit and debit cards issued by credit unions.
The latest news will keep the debate going as to who's liable for costs incurred from a breach. "[The debate] has been a continually growing concern for years now as the number of credit card compromises has skyrocketed and the quantity of financial loss has soared," says Tyler Shields, an analyst at Forrester Research. "The debate will be stoked further in 2015 as the banks and the retailers race to increase the security of their systems to have lower liability."
JD Sherry, vice president of technology and solutions for Trend Micro, says the costs tied to the breach are not surprising "because organizations are realizing the downstream repercussions of managing and handling the fallout," he says. "Consumers are becoming more aware [of breaches]" as well, he says, which could contribute to an increasing number of calls to credit union help desks and potentially more lawsuits being waged against the breached entity. "This all roles up to a cost-per-card metric," Sherry says.
Home Depot confirmed on Sept. 18 that 56 million payment cards were exposed in the breach that affected its U.S. and Canadian stores (see Home Depot: 56 Million Cards Breached).
$8 Cost to Reissue Each Card
Based on the survey's results, on average, the cost to reissue a card by a credit union was approximately $8, which includes costs for reissuing, as well as fraud and other costs such as additional staffing, member notification and account monitoring.
With data breaches occurring regularly, the costs to credit unions are rising. "The bottom line is that credit union members end up paying the costs, despite the fact that the credit unions they own had nothing to do with causing the breach in the first place," CUNA President and CEO Jim Nussle says.
Nussle urges the U.S. Congress to play a role in addressing data breaches "by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others."
CUNA conducted a similar survey in January about the impact of the Target breach. That survey found that the breach cost credit unions nearly $30 million.
The National Association of Federal Credit Unions also has stressed the need for congressional action to hold retailers liable for costs associated with breaches, which force credit unions to reissue potentially compromised cards and invest in technologies that detect fraudulent activity sooner.
But retailers say the NAFCU and CUNA are falsely blaming retailers for cybersecurity gaps out of their control. In an Oct. 30 letter sent to Nussle and NAFCU President and CEO Dan Berger, the Retail Industry Leaders Association says CUNA and NAFCU have misguided the public by pointing fingers at retailers, as data breaches occur most often at financial institutions, not merchants.
RILA also points out that merchants do suffer loses related to breaches, as they are subject to pay certain fees and breach recovery expenses imposed by the card brands after breaches occur.
"As parts of the same payment ecosystem, it is important that our shared goals remain the improvement of cybersecurity and protection of consumers," RILA writes. "The Merchant-Financial Services Cyber Security Partnership is a collaborative effort that has brought together more than 250 executives from all segments of the merchant and financial services communities to work with their peers to protect their shared customers. Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the partnership, one constituency has still not seen fit to participate: credit unions. It is past time we started working together for the greater good of America's consumers."
Background on the Breach
Home Depot, in a Sept. 18 statement, said that to evade detection, the criminals involved in the cyber-attack against it used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot's payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says.
Home Depot said there's no evidence that debit PINs were compromised in the breach. Stores in Mexico, and customers who shopped online in the U.S. or Canada, were not affected the breach.
Home Depot estimated it will spend $62 million in fiscal 2014 for breach-related costs, including investigating the incident, providing credit monitoring services to its customers, increasing call center staffing, and paying legal and professional services. The company expects its insurance to cover about $26 million of that expense.
Executive Editor Tracy Kitten contributed to this report.