Cost of Responding to the Target Breach in the Northwest: $1.3 Million and Counting

Northwest credit unions have already spent an estimated $1.3 million responding to the massive theft of financial data from Target stores, and the preliminary results of a nationwide survey indicate that those costs could grow substantially if fraud losses mount.

The survey by the Credit Union National Association puts the cost to credit unions across the country at somewhere between $25 million and $30 million to date. That total includes the cost of reissuing credit and debit cards, as well as costs for additional staffing, member notification and account monitoring. It does not include fraud losses, which CUNA says are likely to occur later and could be substantial.

“Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers,” says CUNA President/CEO Bill Cheney. “Rather, credit unions must solely cover the costs of … reacting to a merchant data breach. And because of credit unions’ cooperative structure, the costs of such breaches are ultimately borne entirely by credit union members.”

The theft of payment-card and personal information affected more than 110 million Target customers who shopped at the retailer’s U.S. locations during the holidays, making it one of the biggest thefts of its kind in U.S. history. In addition to “track data” from debit and credit cards, thieves also stole customer names, mailing addresses, phone numbers and email addresses.

In the Northwest, the heist has affected an estimated 258,000 credit and debit cards issued by credit unions, or nearly 28 percent of their total cards outstanding. Responding to the Target breach has cost credit unions an average of $5.10 per affected card, the CUNA survey says.

For the region’s large credit unions, that would make the financial impact of the Target breach staggering — BECU alone will reissue more than 88,000 debit and credit cards, for example. In Salem, Maps Credit Union has replaced 3,922 cards; in southern Oregon, Rogue Credit Union has replaced 2,891. But smaller Northwest credit unions are feeling the effects, too.

Consolidated Community Credit Union has already replaced 1,200 cards; President/CEO Larry Elllifritz says that represents about 20 percent of the Portland credit union’s outstanding plastic. PointWest Credit Union has reissued 575 cards. And on the Oregon coast, Wauna Credit Union will replace about 500 of its cards, Card Services Director Donna Goff says.

“Our credit unions worked quickly to prevent fraud against their members by blocking affected cards and reissuing new cards,” says Troy Stang, the Northwest Credit Union Association’s president and CEO. “But these security measures come at a cost to cooperative financial institutions, and ultimately to their members. It’s ironic that none of these costs are currently recoverable from those retailers who are ultimately responsible for their systems being breached.”

Credit unions were asked to report two things to CUNA: the cost of reissuing cards, and all other costs related to the Target breach. Through Wednesday, 37 Northwest credit unions had responded to the survey — 23 in Washington and 14 in Oregon. Those credit unions can update their totals as new costs are incurred, CUNA says, and other credit unions are still encouraged to respond.

The survey is available here, and there is no deadline.

“We’ll keep the survey up until credit union responses fade out,” says CUNA Chief Economist Bill Hampel. At that point, CUNA will report its final estimate of breach-related costs, and the data will be used in conversations with lawmakers and regulators.

Through Wednesday, 936 credit unions had responded to the survey.

By combining specific survey responses with Call Report data from all 50 states, CUNA estimated that credit unions nationwide have 15 million credit cards (911,000 in the Northwest) and 51 million debit cards (2.8 million in the Northwest) outstanding. Of those, an estimated 652,000 credit cards (39,000 in the Northwest) and nearly 4 million debit cards (219,000 in the Northwest) were affected by the Target breach.

The survey also shows:

  • The average cost of reissuing a card is $3.06. The average of all other related costs is $2.04 per affected card. That puts the average total cost incurred by credit unions at $5.10 per affected card.
  • 77 percent of credit unions will or have reissued all affected cards; 21 percent will or have selectively reissued cards in response to member requests; 2 percent do not plan to reissue any cards.
  • 93 percent of credit unions were notified by their card processor or network that some members’ cards had been affected. Of that total, 42 percent were notified on Dec. 19, and nearly three out of four credit unions were notified by Dec. 21.
  • 35 percent reported having to increase staffing in response to the breach.
  • 38 percent said call volume increased by as much as 25 percent following the breach; 36 percent said call volume was either normal for this time of year or increased by less than 10 percent.

Meanwhile, in related news this week:

  • Several sources reported that Target and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season. The Reuters news service said that at least three other well-known U.S. retailers were hit by breaches, although it didn’t identify them. The cybersecurity firm iSight Partners Inc. put the number of additional compromised retailers at six. And another cybersecurity company, IntelCrawler, said retailers in Arizona, California, Colorado and New York were compromised, all with the same malicious software used in the cyberattack on Target.
  • Target sent emails to the 70 million people whose personal information was compromised, offering one year of free credit monitoring. But so did scammers, and now the company is urging its customers to be wary. The company posted a copy of the real email online and told customers to make sure the email they received matches it. In any case, the company said, don’t click on any links within the email; instead, retype the address for any external website in your browser. And always remember: Target will never email a consumer and ask for personal information like a Social Security number or credit card information.
  • Neiman Marcus is offering free credit card monitoring and ID theft protection to anyone who shopped at its stores or online in the last year. The luxury retailer says customers’ payment cards have been used for fraudulent purchases following the recent data breach, although Social Security numbers, birth dates and PIN numbers were not compromised. Details and sign-up instructions are available Neiman Marcus’ website.

 

Questions? Contact Gary Stein: 503.350.2216, gstein@nwcua.org.

Posted in CUNA.