February 19,2009
-
News: NC CU CCs Breached.
The large "State Employees Credit Union" for employees of the State of North Carolina with over 100,000 members, has determined that their institution is part of a large-scale credit card breach. As of yet, no firm link has been made to the Heartland credit card breach which took place back in November and may have extended to later months. In any case, the link wouldn't be direct because Heartland is only linked to merchants, while CU members are only tied to banks. The connections to the Heartland breach would only occur as CU credit card holders used their cards to make purchases at businesses contracted to Heartland. Though Heartland must not publicly divulge who their 250,000 merchants are (175,000 of them are believed to have been affected), the credit union believes that many are convenience stores and filling stations in the North Carolina area.
Whether or not this is related to Heartland, it has been determined that a breach has occurred. An inordinate percentage of the credit union's members have had their credit card profiles compromised. One unique detractor in this breach was the fact that social security numbers, CVV number's (the 3 to 4-digit number on the back of a card), unencrypted PIN numbers, addresses and zip codes were not compromised. This was not the case, as reported, at Heartland. It was reported from the Heartland incident that CVV codes were compromised. This is a big distinction. Having CVV codes compromised are much more detrimental to the risk of the card holder. With this information, stolen credit cards can be maxed out in minutes with very little risk to the thief. Purchases can be made remotely (over the phone or on-line) so the thief is never physically exposed (present for the transaction).
So, the credit union is taking the high road by automatically reissuing new debit cards and PINs (personal identification numbers) to their at-risk customers. They are not required to do this but have chosen to pay the added cost in order to better-protect their customers. They emphasize that the members "are not in any way obligated for fraudulent charges on their [debit or credit] cards, and no personal information was included in the breach," as stated by spokesman for Heartland Payment Systems' Jason Maloni.