CU gets heat on PC World blog
Posted by Trey Reeme on May 31st, 2007
From Steve Bass’s Tips and Tweaks on the PC World website -
They recently sent election ballots to members. Printed on the outside of the envelope were some numbers. The first was our account number.
That might not have been enough to help with anyone intent on identity theft, so they also printed my social security number on the envelope.
I received a letter of apology the other day. They told me they deeply regretted the inconvenience. (See Important Security Message to Members.)
Me, too.
I see it as much more than an inconvenience. I also doubt that their “top priority is my privacy and security,” otherwise this wouldn’t have happened.
And it was picked up by Catherine Forsythe in a post titled Steve Bass is Annoyed -
It is also Priority One Credit Union’s bad fortune to annoy a widely read tech writer. This can’t be good for a financial institution’s public image.
Good luck to the ‘real’ Steve Bass – I have a hunch that Steve will be writing more about identity theft in the months to come.
To which Steve responded in the comments, “Oh, you’ll hear more, no doubt. Just as soon as I find a new credit union…”
As you know, I’m bullish on a FI responding in cases like this – but let’s put it to a vote anyway. Should the CU respond in the comments on these blogs, especially on Steve’s initial post?
YIKES.
Outside of the more public blog response approach:
I hope a “back channel” approach has been taken to speak with Steve directly about the incident, what has been done to make sure it doesn’t happen in the future, etc.
After reading the letter to members – I can understand why Mr. Bass doesn’t have confidence that his CU’s “top priority” is protection of his personal information. The letter doesn’t seem “genuine”... Though, I’m sure there was a long discussion at the CU about alarming more people with the letter!
YIKES, is right! That letter looks like it’s been lawyered up to minimize liability.
I had a conversation with someone about this yesterday … and I know for myself that my credit union would get the death penalty for something like this. Sorry Charlie, no do-overs.
I wonder how the “legalese” response to a hideous blunder will cause members sitting on the fence to bail on the CU?
Seems to me, Trey, that there’s a more important question than “should the CU respond in the blog”. Namely: Should the CU have offered something more substantial than a free one-year subscription to Equifax.
Steve’s suggestion that FIs be required to provide assistance in the case of ID theft is reasonable.
Would be nice to see FIs do the right thing IN ADVANCE of being legally required to do so.
@V: Great call on a back channel approach – going to Steve directly.
@Jeff: You’re right – when are companies going to stop talking like legal robots?!
@Ron: I don’t think I could be bought here, either – and certainly not with a year of credit monitoring. I’d either see it as an isolated incident and continue to trust my CU (not likely) or I’d find another FI. Honestly, no amount of “blogger relations” would influence my decision to stay a member or leave – but it could influence others who see the thread.
Give this a few weeks (if that) and a search for that CU’s name will likely have that PC World post near the top of the list. I believe that’s reason enough for the CU to apologize directly on the blog. (They’d better leave no question as to whether or not they mean it, too. If the apology is insincere, they shouldn’t comment.)
A few weeks for the PC post to be near the top of a Google search?
Try right now! It’s the 4th link when you search the CU’s name.
Ouch…
Matt – WHAAAA? Holy moly. I didn’t even look, as I thought, “Nah. Not yet.”
Wow, that is amazing that an error like that could even happen! I think they’re going to have a hard time retaining membership after something like that!
But yeah, someone definitely needs to respond, both in the blog AND to him personally. I’d be curious as to how other members are responding.
I’m glad to see some people actually taking this issue seriously.
@Jeff: Legalese? I call it a bumbled CYA. The letter tried to downplay the seriousness of the security breach in a condescending way. For one thing, they didn’t even have the courage to say “account number” and “social security number” at the start of the letter. Instead, Wiggington explained that the “information was not printed in a format that would be immediately recognizable.” That just infuriated me.
@ VSelfridge: I wrote an admittedly scathing letter to the CU, sending it via regular mail. I tried reaching them through e-mail and forwarded links to blogs. To date, I haven’t had the courtesy of a front or back door response.
@Ron: One other suggestion I offered was to provide a free one-year identity theft insurance policy. Even though the coverage isn’t super valuable, at least it provides some help should I be victimized.
@ Matt V: I’m guessing it will stay at the top of the Google list for a while. And it’ll be back at the top of Google when the original blog is distributed in my 105K subscriber PC World newsletter. And I’m not finished. I’m working on a follow-up story.
Priority One clearly blew it. No question.
However, am I the only one who is gagging over Steve’s arrogant attitude and clear focus on trying to leverage their mistake to advance his personal brand? Why is it that so many in social media appear to have absolutely no journalistic integrity?
Steve, how about taking the time to think about your true intensions for your continued attacks on Priority One? Other than yourself, who are you really trying to help?
Reacting without emotion to a mistake we make can be hard. We have all made missteps (small and large) in our personal lives and professional lives, I know that I hope my mistakes cause minimal impact to my company, the members they serve and of course myself. But in this instance, some clear thinking could have really helped out not only in the short but the long term. Fear of ID theft has been heightened in the media, it is a great story, a ‘boogieman in the shadows’ type of story. Regardless of the statistical chance of impact to the member someone should have worked on the perceived impact not just hitting the minimum CYA. Members feel vulnerable when something like this happens, the CU has an opportunity to help mitigate this by being a good listener to their issues, and to offer solutions not only that meet the minimum but rise to the level that helped the member decide to put their life savings with the CU in the first place. I look forward to hearing your ongoing efforts
No, I’m not gagging at Steve or any sort of arrogant attitude. I think he’s right on. I’m upset about the fact that it happened and I’m not even a member. As a financial educator, I will tell you that identity theft and fraud are a REAL problem. It is not to be minimized. While the media may have heightened fear, it is not without warrant. Trust me, I’ve been receiving phone calls left and right all week, just because someone has been sending out fraudulent e-mails with our credit unions name on them asking for people’s personal financial information. I deal every day with people coming in who have applied for a payday loan online and suddenly every payday loan company on earth is taking money from their account. So, imagine what these people will do when you willingly hand over your social security number and account number! It’s insane! It wouldn’t take me five minutes to go in and close out my account for fear that the account number would fall into the wrong hands. But then to think that they have your social as well! This is a VERY BIG deal! People and businesses make mistakes, but some mistakes are unacceptable and unforgivable. As for advancing his own personal brand, it’s his site, he can do that! And from what I can tell, he has some useful information on there. People will learn over time what’s reputable and what’s not. If they’ve been reading for a while and see that his information is reputable, then there is no reason to believe this is not. He has the right to tell anyone he wants, just as he would if he was out on the street talking to a friend. We all vent about our problems and issues. It’s no different than warning someone about a certain restraunt because they served a meal with a roach in it! Lets just call it what it is!
Having written letters like this in my career, I must jump to the defense of Priority One Credit Union.
First, there is a difference between a security breach and an error. A breach implies that information was purposely compromised for criminal intent. As far as I can see, this isn’t the case in this situation.
So, let’s assume that Priority One Credit Union did not do this intentionally, nor did their vendors.
Secondly, I’ve been in the situation where, no matter how much due diligence and oversight my credit union did, a vendor simply screws up. This happens, especially when you are trying to household a group of accounts and you need one identifier to pull all accounts together.
So, let’s assume that Priority One was not being negligent.
Going on those two assumptions, Priority One had to write a letter. I don’t see what is wrong with the letter? Too “legalese”? The fact is, we operate in a highly regulated industry in a highly litigious society. In addition to that, our membership is not your average blogging community. We can’t send them letters that say, “dude, we screwed up. We are really, genuinely sorry about that, man.” The letter was exactly what it had to be – professional, clear, to the point and confident.
I don’t think we should undervalue all of the things Priority One put in place as a result of this error. To me, they are doing all they can to rectify their mistake. As a side note – I’ve looked in to providing Equifax credit monitoring services when we had a security error. I am sure that decision is costing Priority One tens of thousands of dollars. They should be given more credit for offering that up. Particularly since the odds of anyone actually being a victim of identity theft because of this particular error are slim.
Priority One is going to take their licks from people outside of our industry. I don’t think other credit unions should jump on the bandwagon and start criticizing them as well.
I am giving them the benefit of the doubt that they made an honest mistake and are working very hard to make things right for their members.
@Shari: I think you’re right on here. Well, except for one little thing—the Equifax thing. Yes, this might cost Priority One “tens of thousands dollars”. But guess what? ID theft might cost its members hundreds of thousands of dollars.
The Equifax offering is a cop-out. It says “here—we’ll pay for YOU to monitor your situation for a year.” Not only is one year not good enough (the TJX incident happened YEARS ago, and is still impacting customers), but, more importantly, it puts the onus of prevention on the member. Why should I (as a member) have to take on additional work/effort/headache as a result of YOUR mistake?
I don’t know what the answer is. Maybe Priority One needs to hire a SWAT team that does the monitoring for its members.
Shari -
I respectfully disagree. The letter really doesn’t address specifically what happened, let alone how it happened. If a vendor was responsible for the error, that vendor should be fired. Publicly. Now.
If an internal process caused the goof, that faulty process should be identified clearly, and the steps the CU is taking to fix the problem laid out.
In my view the folks at P1 need to look at the crisis communications thread in this blog if they’d like to start speaking honestly with their members.
And finally, I think by not communicating clearly on an issue of this magnitude, P1 is inviting lawsuits—not reducing the risk they’ll happen by wordsmithing the problem.
Yup, tough situation. Bottom line, P1 needs to step up and communicate with their members honestly and rapidly.
Priority One. That’s the name of the credit union. I think the biggest error here is in adopting that name and not making the member their first priority until AFTER something like this happens.
Brand is your reputation. Period. I “get” the reference to the post office (Priority One)—but let’s be real. If they had a reputation for making the member priority one (in other words Steve felt some kind of love before this error) this may not have been as HUGE a deal. Their response to this, or lack of, makes me believe this was just a clever and cute name, not a business strategy.
Shari – Your credit union’s name is Verity. Which means truth. I guess a lawyerly approach to communicating an error might fulfill your brand’s promise BUT I do think there’s room to humanize the thing. Not everyone speaks Legalese – nor do the speak Surfer Dude. How about just plain English? The truth. We messed up big time. No excuses. What can we do to make you feel like you’re our priority?
I feel your pain and I know this is one big sucky week for that CU BUT I do think we cower behind lawyers and CYA before we really MAKE the member our priority.
It made it to digg with 2 diggers.
God help Priority One if this makes it to the main Digg page. If it does, it will definitely make it to the news.
http://digg.com/security/Credit_Union_prints_social_securty_and_account_numbers_on_envelopes
This just in—even scarier in my opinion.
http://washington.bizjournals.com/jacksonville/stories/2007/05/28/daily24.html
Seems like the real winner in both of these is the identity theft protection companies.
The error committed by Priority One, was just that an error. However, the error could have been avoided had the president of Priority One, Charles Wiggington, actually taken the time to follow those procedures established by his predecessor, William E. Harris.
While Mr. Harris was president, he and the former Director of Marketing, and a representative of the Business Development, would take some of the envelopes containing ballots, and carefully review these to make certain that these were sent out without errors. Unfortunately, Mr. Wiggington has said there are certain things he won’t do because they are beneathe him. This, I guess, includes reviewing envelopes. Mr. Wiggington is pompous and if any of you know him, annoyingly verbose. Unlike Mr. Harris, he is more concerned with the perks of his position than the needs of his members and exercising sound judgement is apparantly a choice not a requirement of his job.
Last week, he returned to the company after an almost 7 week absence during which he was investigated following allegations of sexual harassment. The peculiar thing is that aside from the serious allegations, the company’s legal counsel, Mr. Adler, received a letter containing evidence that Mr. Wiggington and the owner of Allied Management, the credit union’s contracted collection agent, committed coercion and repossessed an automobile, specifically a BMW, from a member whose auto loan payments had become delinquent. Though a repayment plan was enacted, Mr. Wiggington took possession of the automobile. He, by the way, collects BMW’s (this is easily verifiable).
Another allegation reported to Mr. Adler was that Mr. Wiggington granted issuance of a $26,000.00 automobile loan to a woman he found extremely attracted and who he met at Fat Burgers to discuss the details of the loan, though her credit score was 518. Interestingly enough, other members with higher scores had been denied loans seeking to borrow similar amounts.
Also reported, were incidents citing abuse committed against employees and retaliation- all, which are illegal.
Yet, under the Diedra Harris-Brooks, the current Chairman of the credit union’s Board of Directors, Mr. Wiggington was found to be innocent and returned to his position, though a letter issued to him on the day he was reinstated, stating “we do not believe the nature of the exchanges rises to the level of an unlawful, hostile environemnt.”
The letter also advises him that he is once again being given information pertaining to the laws governing sexual harassment.
Unfortunately, the statements gathered from numerous employees interviewed during the investigation were ignored and deemed insufficient by Mrs. Harris-Brooks who along with O. Glen Saffo, another member of the board, both of who have often said that Priority One needs a “Black president” fought for his reinstatement. Shame on Mr. Adler, who may chosen to circumvent his judicial and ethical responsibility to the credit union, its members, and the employees, and bent to the will of the always, over-aggressive and less than honest, Mr. Harris-Brooks.
During the investigation, several employees attested that Mr. Wiggington often told the former employee that he wanted to “sop her up” and wanted to “spank her ass” and on more than one occastion, removed his belt in the presence of the South Pasadena staff and threatened to whip her. On the surface, his public exclamations might seem funny but they are juvinial, inappropriate, and should have been deemed an embarassment to the reputation of this once good credit union. I believe members expect the president and CEO to comport himself in a professional manner & one befitting any reputable financial institution.
Despite the substantiating evidence which was gathered by the investigator, Mr. Diedra-Brooks asserted her will and even attempted to keep another member, Janice Irving, from attending the meeting where the conclusions obtained from the investigation, were to be presented. Some people find it difficult to surrender control. Despite a decision which was allegedly made by the entire board, at least 2 board members argued for Mr. Wiggington’s termination. Evidently, statements supporting the ex-employees contentions were insufficient to warrant a finding which would have removed Mr. Wiggington as president and replaced him with a person who might turn around the financial losses, diminishing level of customer service, and brought an end to the written complaints continually being filed against him since he became president of the credit union.
Another allegation made against Mr. Wiggington was that he reinstated a relationship with a car broker owned by Henry Justice. Years ago, Mr. Justice provided 4 members of the credit union with automobiles which they financed through Priority One. Mr. Justice also obtained financing from another credit union and thereafter absconded with the monies issued by both institutions. He filed bankruptcy, blamed the theft of the monies on his daughter, and escaped prosecution. Despite this, Mr. Wiggington recently resurrected his relationship with Mr. Justice. Mr. Justice was invited to the credit unioin where he sat in both the company board room and in Mr. Wiggington’s office, working out a plan to resume his relationship with the credit union. This is not only a stupid act revealing Mr. Wiggington’s lack of common sense or ability to understand that as the head of the credit union, he is responsible to protect the assets of its members. On the day, the incident was exposed to the company attorney, Mr. Wiggington called Mr. Justice and told him to deny that they re-entered into an agreement. Of course, Mr. Justice’s business cards can be found in the Loan Department at the South Pasadena office.
There are employees who care about the members and the credit union, but this means little to nothing to a president and CEO who finds expounding on endlessly about inane personal topics, “playing”, and basking in the shadow of his over-rated title, more important than solutions for the losses the credit union has incurred since he became president or trying to retain members (the numbers of whom have increased substantially since he became president). The credit union should really consider changing its tag line, “You are our first priority.”
Correction:
“the numbers of whom have increased substantially” should have read, “the numbers which have decreased substantially.”