Another CU security blunder
Posted by Trey Reeme on June 4th, 2007
Robbie links us to Jax Federal Credit Union file leak.
“We regret this happening but we’re trying to do everything we can to minimize any inconvenience to our members,” JAXFCU CEO Gerri Sexsion told First Coast News Thursday.
She says the bank was sending information to a printing company that included names and social security numbers.
“The printer’s website was not secure and somehow in that exchange it was picked up by Google,” said Sexsion.
Last month I was giving a marketing workshop and told this story of my credit union deceiving me two years ago. They printed “Important information about your account” on the outside of a sales letter to trick me into opening it.
While telling the story to the room of marketers, one interrupted, “Our credit union sends those out. It comes from a third party and they design the envelope. So we can’t do anything about that.”
“But it has your name on it,” I responded.
Forgive the cliche, but I saw the lightbulb switch on.
I feel sorry for Jax. I feel sorry for P1. Neither intentionally put their members’ data at risk. In Jax’s case, a vendor was the source of the data leak. Unfortunately for Jax, the public doesn’t see it that way. Fair or unfair for them, it is what it is.
Just like my credit union is still on the hook with me for sending that letter out. They didn’t print it, but it made it to my mailbox on their behalf.
Is there any reason why the printing company would have needed the Social Security numbers for printing a preapproved auto loan mailing? Are most credit unions careful about not sending unneeded personal information, even if it is sent in a secure manner?
It sounds to me that JAXFCU has done a good job of putting out a fire, and we all know that fires happen no matter how careful we are. I commend them for their response and am not trying to condemn them for their initial mistake. I’m just hoping we can all learn from it.
Hi Trey,
Thanks for posting this! Your initial post is 100% spot on, IMHO!
These incidents point out the need for credit unions to get some schooling in crisis communications—especially now with the ways in which information can spread like wildfire through the Internet.
The link to another story about Jax that Denise posted in the P1 thread showed that Jax “gets it” a whole lot better than P1 has so far. In that story, the Jax CU official basically says .. here’s what happened and here’s what we are doing about it. A good, solid response to the incident … that did not strike me as being defensive in the least.
Jax should also be commended for using the media to communicate their message in a very clear way and to re-state their commitment to their members. That’s all anyone can ask for as a consumer/member,
I have seen this also in my past experience, in one occasion it was caused by the CU leveraging an existing extract for bringing in a new vendor, without really auditing the fields that were needed. After one ‘incident’ that involved a payment processor, a past CU of mine created a committee that reviewed all outgoing communications with vendors. We rated them on risk, confirmed with the vendors the fields sent versus fields needed and submitted the information to each departments that were the functional owner of the vendor relationship. This made audits easier, and sure made reacting to the crisis easier.
According to the press release (?): “The printer’s website was not secure and somehow in that exchange it was picked up by Google,” said Sexsion.”
This is not an acceptable explanation. I don’t know of any financial services firm that my company works with that allows SSNs to be communicated outside the FI.
I can’t speak to the issues raised by the JAX or Priority One situations. I can only speak on behalf of an agency (ours) that deals with this type of information on the daily basis. I hope this helps some of those credit unions who are looking in the mirror right now.
Typically the list data we receive is not only compressed and encrypted but sent next day air to the printers. This allows us to maintain a documented chain of custody for the information.
Emailing or serving unencrypted data over the internet is never permitted. I am not saying that this was the case with Priority One (JAX kinda admits to something like this) – but our partner printer would freak out if we sent them unsecured data like this. They understand that they, we and the credit union could be held equally responsible if there were a breach of security.
My heart goes out to the members and credit unions facing this. I can only imagine how the people at these credit unions feel. They aren’t robots, I am sure they feel sick about “letting down” their membership as well as maybe a little fear for their jobs depending on their level of involvement.
I think we each need to look internally and make sure our laundry is clean. This situation had members of my team calling each other over the weekend to talk about how we deal with secure data and to make sure that we are diligent in our policies and protocols.
And, a final thought, whoever is creating the lists for your credit union – create your a-list, your b-list or whatever lists you are generating and make sure you delete any of the columns that you do not want printed. We always do a mail merge data layout on our mailings and get approval then send to the printer. Printers just dont need information like SSNs or DOB or MMN to print a pre-approval letter or envelopes. So don’t send it.