PRINCETON, N.J. - Credit unions around the country were scrambling this week to isolate fraudulent transactions and block debit cards that may have been exposed to hackers by a massive breach at third-party processor Heartland Payment Systems, the latest in a long series of cards scandals.
"For the last three months we've been having losses and we couldn't figure out the source of it,"said Luke Labbe, president of PeoplesChoice FCU, in Biddeford, Me., who determined this week that hundreds of accounts were leaked through Heartland, which processes merchant accounts for the credit union's processor, Fiserv EFT.
The credit union, which is busily cancelling and reissuing about 500 cards, pays up to $15 apiece to replace cards, according to Labbe. It has accrued at least $40,000 in fraud losses on its Visa debit cards over the last three months. "This is a huge expense for a small credit union or bank," said Labbe, whose credit union recorded at least $20,000 in fraud losses last year from the cards breach at Hanneford Bros. supermarket chain.
Heartland, which processes accounts for as many as 250,000 merchants, notified its customers Wednesday of the breach that may have occurred as long as six months ago and exposed as many as 100 million accounts, making it one of the largest cards breaches ever.
"We're 99% sure it's Heartland," said Tom Shields, president of Piedmont CU, in Danville, Va., who said yesterday his members have been hit by about $20,000 in fraudulent transactions on Visa debit cards in recent weeks coming from such far-flung places as Florida, Texas and North Carolina. "There's been at least 60 or 70 accounts affected, that we know of, so far," he told The Credit Union Journal yesterday.
Piedmont was notified, not by Visa, or Heartland, but by its cards processor, also Fiserv EFT, said Shields.
Across the country, in Salem, Ore., Oregon Territory FCU has been working for several weeks trying to determine the source of a data breach that has caused tens of thousands of fraudulent transactions on member accounts, tracing it to the Heartland, which processes merchant accounts for its processor, also Fiserv EFT. "We knew the breach was not a small one, based on the way it was spreading," said Alycia Howell, vice president for the $60 million credit union, of the nationwide data leak.
"Members were contacting us claiming there were transactions on their accounts that weren't theirs," said Howell. "Our phones were just flooded with calls. It was just non-stop."
The three credit union executives each recounted how the perpetrators apparently created phony cards on their members' accounts with information stolen from Heartland, then tested the cards at gas stations, sometimes with small purchases, sometimes with purchases over $100. Then the cards would be used at retailers, mostly Wal-Marts, but also Home Depot, Kmart, Publix, and Heb grocery on the northwest to buy as much $1,000 at a time of merchandise or gift cards. Oregon Territory FCU's Howell even said her card was used to make a $300 transaction at Marshall's in Florida.
Fiserv was able to put a block on signature-based debit transactions at the targeted retailers to require PINs, according to Howell.
Credit unions around the country were reporting affected accounts: Notre Dame FCU, South Bend, Ind.; Bangor (Me.) FCU; Atlantic Regional FCU, Brunswick, Me.; Hutchinson (Kan.) CU, among others.
So far, Oregon Territory has recorded 102 affected accounts and as much as $50,000 worth of fraudulent transactions on those cards.
Howell was frustrated because her credit union was never notified about the possible breach by Heartland or by Visa. "Our first (card) alert came Tuesday from Visa," she said. "We got nothing from Visa until Tuesday."
"We didn't know until Wednesday how massive the breach was," said Howell