Kennebec Savings Bank notifies 1,500 customers
Technorati Tag: Security Breach
Date Reported:
1/17/09
Organization:
Kennebec Savings Bank
Contractor/Consultant/Branch:
"Some merchant or processor"
Location:
Augusta, Maine
Victims:
Customers
Number Affected:
"approximately 1,500"
Types of Data:
"debit card numbers"
Breach Description:
"AUGUSTA -- Kennebec Savings Bank has informed 1,500 customers their debit card numbers may have been compromised in a security breach."
Reference URL:
Kennebec Journal
Report Credit:
Mechele Cooper, Kennebec Journal
Response:
From the online source cited above:
AUGUSTA -- Kennebec Savings Bank has informed 1,500 customers their debit card numbers may have been compromised in a security breach.
[Evan] It's more concerning when debit card information is compromised than it is when credit card information is. Debit cards typically withdraw funds from peoples' active accounts (checking/savings) almost immediately.
Bank officials blamed the breach on credit card companies' failure to police the merchants that use their cards.
The breach was reported to bank officials by MasterCard.
[Evan] I wonder what MasterCard told bank officials. It seems like the bank has been given very little to work with.
Mark Johnston, bank president and CEO, said customers have been asked to monitor their checking accounts and contact the bank if they see any suspicious activity.
"It's another one of these situations where possibly, maybe, there appears to be data intrusion," Johnston said Friday.
[Evan] Huh? What does "possibly, maybe there appears" mean?
"We have very little information at this point whether it is a processor or merchant. There were approximately 1,500 (bank customers) possibly impacted by this possible intrusion."
[Evan] Why does the bank have "very little information" to act upon? A good incident response plan ensures that the right information gets disseminated to the right people.
He said the bank is not currently planning to automatically reissue debit cards because there has not been any sign that fraud has actually occurred on bank accounts, because of the major inconvenience to customers, and because of the huge expense for the bank itself.
[Evan] The bank is in business to make money as most businesses are.
If customers are uneasy, he said the bank will send them a new card.
"This isn't the fault of the cardholder or the bank," he said. "Some merchant or processor didn't have the appropriate security measures on their equipment to prevent this."
He said his bank has multiple security measures in place to prevent a breach because security breaches are costly for banks and credit unions.
Mailings to inform customers and send out new cards also are expensive.
"None of us have done anything wrong," he said. "Unfortunately, it's the way it's going to be until Visa and MasterCard put requirements in place with penalties severe enough that merchants aren't keeping the data and, if they are, have appropriate lockdowns so no one can get any of it."
[Evan] We all know that Visa and MasterCard have put requirements in place. We have PCI-DSS. There are misconceptions about how effective PCI-DSS is. PCI-DSS compliance will not guarantee the security of debit/credit card information, but it goes a long way. There are thousands of non-compliant merchants, and their customers don't know any different. Somehow we need to come up with a system to educate customers on knowing which merchants are compliant and which are not. Empowering consumers will be the key.
The cost of replacing credit and debit cards that were compromised by the breach of Hannaford Bros. computer security will run into millions of dollars for Maine banks and credit unions, and those institutions likely will have no choice but to bear the cost.
Data belonging to customers of Hannaford Bros. was breached in March 2008.
In that incident, some 1,800 unauthorized charges were made on customer cards from December 2007 through March 2008, with the identities of 4.2 million customers potentially exposed to fraud.
Banks took much of the brunt of that security failure, as the cost of reissuing debit and credit cards is at the expense of the financial institution.
One bank executive at the time said the cost to issue about 14,000 new cards to customers -- including administrative time, mailings to customers and the cards themselves -- was about $10 to $12 per card in the Hannaford case.
Commentary:
We don't know much about this breach, do we? It sounds like the bank itself is being kept in the dark too. Let's hope that MasterCard has good reason.
Past Breaches:
Unknown
Date Reported:1/17/09
Organization:
Kennebec Savings Bank
Contractor/Consultant/Branch:
"Some merchant or processor"
Location:
Augusta, Maine
Victims:
Customers
Number Affected:
"approximately 1,500"
Types of Data:
"debit card numbers"
Breach Description:
"AUGUSTA -- Kennebec Savings Bank has informed 1,500 customers their debit card numbers may have been compromised in a security breach."
Reference URL:
Kennebec Journal
Report Credit:
Mechele Cooper, Kennebec Journal
Response:
From the online source cited above:
AUGUSTA -- Kennebec Savings Bank has informed 1,500 customers their debit card numbers may have been compromised in a security breach.
[Evan] It's more concerning when debit card information is compromised than it is when credit card information is. Debit cards typically withdraw funds from peoples' active accounts (checking/savings) almost immediately.
Bank officials blamed the breach on credit card companies' failure to police the merchants that use their cards.
The breach was reported to bank officials by MasterCard.
[Evan] I wonder what MasterCard told bank officials. It seems like the bank has been given very little to work with.
Mark Johnston, bank president and CEO, said customers have been asked to monitor their checking accounts and contact the bank if they see any suspicious activity.
"It's another one of these situations where possibly, maybe, there appears to be data intrusion," Johnston said Friday.
[Evan] Huh? What does "possibly, maybe there appears" mean?
"We have very little information at this point whether it is a processor or merchant. There were approximately 1,500 (bank customers) possibly impacted by this possible intrusion."
[Evan] Why does the bank have "very little information" to act upon? A good incident response plan ensures that the right information gets disseminated to the right people.
He said the bank is not currently planning to automatically reissue debit cards because there has not been any sign that fraud has actually occurred on bank accounts, because of the major inconvenience to customers, and because of the huge expense for the bank itself.
[Evan] The bank is in business to make money as most businesses are.
If customers are uneasy, he said the bank will send them a new card.
"This isn't the fault of the cardholder or the bank," he said. "Some merchant or processor didn't have the appropriate security measures on their equipment to prevent this."
He said his bank has multiple security measures in place to prevent a breach because security breaches are costly for banks and credit unions.
Mailings to inform customers and send out new cards also are expensive.
"None of us have done anything wrong," he said. "Unfortunately, it's the way it's going to be until Visa and MasterCard put requirements in place with penalties severe enough that merchants aren't keeping the data and, if they are, have appropriate lockdowns so no one can get any of it."
[Evan] We all know that Visa and MasterCard have put requirements in place. We have PCI-DSS. There are misconceptions about how effective PCI-DSS is. PCI-DSS compliance will not guarantee the security of debit/credit card information, but it goes a long way. There are thousands of non-compliant merchants, and their customers don't know any different. Somehow we need to come up with a system to educate customers on knowing which merchants are compliant and which are not. Empowering consumers will be the key.
The cost of replacing credit and debit cards that were compromised by the breach of Hannaford Bros. computer security will run into millions of dollars for Maine banks and credit unions, and those institutions likely will have no choice but to bear the cost.
Data belonging to customers of Hannaford Bros. was breached in March 2008.
In that incident, some 1,800 unauthorized charges were made on customer cards from December 2007 through March 2008, with the identities of 4.2 million customers potentially exposed to fraud.
Banks took much of the brunt of that security failure, as the cost of reissuing debit and credit cards is at the expense of the financial institution.
One bank executive at the time said the cost to issue about 14,000 new cards to customers -- including administrative time, mailings to customers and the cards themselves -- was about $10 to $12 per card in the Hannaford case.
Commentary:
We don't know much about this breach, do we? It sounds like the bank itself is being kept in the dark too. Let's hope that MasterCard has good reason.
Past Breaches:
Unknown
Posts Atom 1.0
Comments