Retail Data Breach: Rushing into the Breach

0414_RushingBreach_770

When the largest-ever retail payments system data breach suddenly erupted, ICBA quickly mobilized for its members—speaking out, providing resources, and educating the media and policymakers

By Vanessa Drucker

The first news reports were alarming but sketchy, and information was fluid. That it was a massive retail data breach involving payment cards quickly became clear. But plenty of unanswered questions rapidly piled up.

How did it happen? What kinds of payment cards were compromised and where? What data was stolen? What were the monetary losses? How many consumers were affected? How many were community banks’ customers?

“First we learned of the Target breach, then another at Neiman Marcus, and the magnitude of the impact kept changing.”
—Lilly Thomas, ICBA vice president and regulatory counsel

The situation and questions would further mushroom from there.

This was in December, the height of the holiday shopping crush. Soon news reports began to confirm that the breach at Target Stores Inc. had compromised 40 million debit and credit card accounts and subsequently the personal data of up to 70 million consumers. That cybercriminals had several weeks of access to customers’ personal and card information was stunning. Similar scenarios would be confirmed when it was learned that the same malware infection was used at Neiman Marcus and other retailers was used.

Thomas, a regulatory expert on data security, became part of a quickly assembled ICBA staff working group to follow developments surrounding the breaches and help community banks involved. Huddled in a newly established war room at ICBA’s headquarters in Washington, D.C., the group included the association’s data security, payments, government relations, IT and media and communications staff as well as ICBA Bancard staff.

“We wanted to concentrate and coordinate ICBA’s resources and staff expertise to share accurate information and react quickly,” Thomas points out. “The internal working group quickly developed to do that, and it proved vitally helpful and effective.”

Throughout the early days of the event, the working group would gather ssemble every morning around a wood-grained conference table in ICBA’s Washington headquarters, assessing the previous day’s developments and coordinating responses. “Events were moving fast, and this was a complicated incident,” says ICBA Executive Vice President of Regulatory Policy Viveca Ware, a payments and regulatory expert and a member of the working group. “We needed to sit down and communicate face-to-face before everyone had to sprint off to do their jobs and respond to what was unfolding.”

“ICBA Bancard learned that it had more than 70,000 card accounts affected and had to move swiftly to distribute information to our clients,” says Alan Nevels, senior vice president, card risk and merchant services at ICBA Bancard, ICBA’s electronic payments service subsidiary that helps more than 2,000 community banks across the country establish and maintain debit and credit card programs, and a card security expert and a working group member.

Soon the key facts surrounding the breach would unfold. In late November, a piece of malicious software, injected into Target’s centralized servers, had stealthily taken control of the retailer’s point-of-sale terminals. The malware involved, allegedly inserted through a third-party heating and air conditioning service, contained a hidden program that activated at Target checkout terminals when a customer swiped his or her credit card, at the height of the holiday shopping season. The virus then unencrypted a purchaser’s account number, cloaked and deposited it in a corner of the company’s servers, and later directed it into the thieves’ programs.

The sophistication of the cyberattacks was breathtaking. How could this happen?

Down in the war room

The immediate objective of ICBA’s working group was clear but broad—to help community banks as much as possible respond to the largest data breach ever. Nationwide the fallout from the breaches, from California to Connecticut, was stressful and chaotic for many community banks. Their cardholders were distressed and inconvenienced, and financial institutions had incurred hefty expenses. Many community bankers began calling ICBA with questions.

Barbara Huhndorf, assistant vice president of credit card services at Farmers State Bank in Marion, Iowa, reports that almost 250 credit cards and 1,500 debit cards owned by customers of the $655 million-asset community bank were affected. Farmers State Bank pinpointed the compromised cards and contacted cardholders that their cards were being shut down.

“It caused a lot of turmoil, extra work and effort to extract all this manually,” Huhndorf says.

Later, community banks nationwide would have to replace about four million cards, at an estimated cost of $40 million. These costs accumulated from the various operational steps that were necessary to serve and protect cardholders, embossing and encoding the new plastic cards, for set-up and processing fees, for postage and new PIN mailers and for activation notifications. Whatever reputational harm the breaches caused the industry and, unfairly so to individual community banks, would be incalculable.

To knock down misinformation or any potential blame toward community banks, ICBA took responsibility for making its staff experts available to release timely and accurate information to the media. Journalists from a wide range of news outlets were posing a barrage of questions. What does it cost banks to reissue a card? Can they recover losses? What do retailers pay? Is ICBA collaborating with other affected groups? Will new computer-chip technology solve the problem?

ICBA’s main focus in working with the media was to educate reporters on how a payment card breach affects banks, retailers and consumers, and to communicate that community banks were working to make their customers affected by the breach whole.

During the industry crisis over the breach, ICBA’s press releases and its staff and leadership interviews would appear in more than 100 news outlets across the country, from the New York Times to the Associated Press to USA Today to the Walla Walla Union Bulletin in Washington state to the York Dispatch in central Pennsylvania.

The swift response helped head off considerable potential damage. “We wanted to prevent any more spillover from unfairly splashing onto community banks, and, thankfully, by staying on top of and ahead of news developments, we were able to do that,” Thomas recalls.

An industry response

While ICBA was coordinating its external communications and media relations, community banks individually mobilized across the country as well. Community banks promptly blocked accounts, lowered transaction limits and reissued cards. They also began to take on losses for fraudulent transactions, and will continue to monitor and reimburse cardholders for fraudulent transctions, as promised by the zero-commitment liability for Visa and MasterCard activity.

One of the first tasks on the agenda for ICBA’s working group was to prepare an online toolkit, including a security breach response guide, to give community banks a useful resource for dealing with customer and media questions, as well as a framework for proactive ways to minimize fraud. Site visitors found the recommendations at www.icba.org/publications/visa.cfm?ItemNumber=37529, useful for staying vigilant and mitigating losses.

The breach response guide advised banks to reassure customers about zero liability, while reminding them to watch for unauthorized purchases, obtain regular credit reports and protect their personal information. It also advised community banks to follow news sources and fraud alerts from their payments cards and networks processors. The latest information would help prioritize which cards to reissue, and to heighten monitoring on remaining exposed cards.

As new information emerged, the working group kept adding resources to the toolkit. Its staff members pooled together elements on how to communicate, including ideas from Visa and MasterCard materials. The materials developed included a Q&A document and sample communication templates that banks could publish with their own names and logos. Press releases provided tips for consumers to protect data, such as by using unique passwords, monitoring statements or avoiding saving financial information on computers, tablets or phones.

At the same time, the working group continued to distribute daily news updates in ICBA’s NewsWatch Today electronic bulletin.

On Jan. 15, the working group organized a one-hour town hall-style audio conference for community banks, attracting 400 participants. “We wanted to form a venue where banks could share with each other what they were experiencing and receive guidance,” Nevels says.

Back at Farmers State Bank, Huhndorf found the conference supportive. “I appreciated the opportunity to sit in on a forum with other community banks, and see what our peers were doing,” she says, “and we got official details about specifics of the breach, and recommended actions.”

Messaging on Capitol Hill

Meanwhile, ICBA’s working group turned its attention to Congress. The association wanted to educate lawmakers about the effects of the breach and the uneven data security standards that exist between banks and retailers and other participants in the card payments system.

“Merchants benefit from the acceptance of payment cards, and they certainly should be responsible for the fallout resulting from breached payment card information.”
—Viveca Ware, ICBA executive vice president, regulatory counsel

A series of meetings, letters and joint memos to Capitol Hill were dispatched, articulating how the community banking sector seeks equitable legislation to protect its interests, and highlighting the need for a national notification standard. By early January, ICBA had met with relevant committees and senior staff, both Republicans and Democrats, on both the House Financial Services and Senate Banking Committees.

Shortly thereafter, ICBA submitted statements for each of five hearings, in the Senate Banking Committee, the Senate Judiciary Committee and the House Energy and Commerce committees. In advance of one congressional hearing on Jan. 31, ICBA joined with the Consumer Bankers Association, the American Banking Association and the Financial Services Roundtable in a conference call with reporters.

“It was crucial to get in front of key members of Congress and their staffs as the details of the breaches unfolded,” explains Aaron Stetter, ICBA senior vice president, congressional relations and advocacy, and a working group member. “We had to get them the key facts while so many lawmakers were focused on the issue. That allowed ICBA to advance its position for bringing more nonbank security and accountability to the payments system.”

During Senate and House hearings that followed, ICBA explained how financial institutions were shouldering millions of dollars in costs to reissue cards and undertake their fraud mitigation efforts to protect consumers in the wake of the retailers’ data breaches. For example, more than 15.3 million debit and credit cards had to be replaced, the association pointed out. The hearing statements also gave ICBA another opportunity to explain card security technology as well as to discuss the need for promoting more effective accountability and cooperation among all participants in the payments system.

In the end, ICBA’s concerted mobilization on behalf of community banks after the data breaches was all about supporting its members in need on Main Street. Whether speaking out for the record, developing resources or advocating with policymakers, ICBA will always respond when its members are in need. While no one completely prevent cyberattacks from occurring, the association won’t stop working to ensure community banks will be protected and fairly treated if and when the next big breach breaks out.

As ICBA’s Ware says, “We’ll be here for community banks whenever they need us—ready to mobilize.”


Vanessa Drucker is a writer in New York.

Top