I Repeat…..“Only Three Things are Certain in life: Death, Taxes, and…Data Breaches” 
In 2015, I wrote an article about the certainties of our lives being affected by a data breach event. Similar to death and taxes, there are steps that we can take to mitigate its effects on our lives, but there is no way to fully prevent it from occurring. Funny how some things just don’t change….it’s nearly four years after I wrote the initial article and the certainty of data breaches occurring is as true today as it was back then. This article explains why. ​Credit unions would serve their members well to provide protection against the fallout of breach events…which just keep happening. I have only added a few new points (in parenthesis) to the article below, but the original message remains the same. ​

If Benjamin Franklin were alive today, I believe this would be his new take on his famous quote. He would recognize the inevitable fact that data breach events, like death and taxes, cannot be stopped. They certainly can be deterred and delayed, but based on the avalanche of data breach events in the past eighteen months, as well as the industry forecast for more to come, Franklin would warn, “Be prepared.” (Over a billion people were breached in just one month last year… between November 2018 and December 2018) 

We hear about the growing laundry list of companies who are focused on finding the magic pill that will give businesses and financial institutions, as well as individuals, a sense of peace and security. These companies all pinpoint individual elements of data breach exposure and create products or services sold as “preventative” solutions. Whether it is credit monitoring services, software encryption programs, EMV chip cards, document destruction, protective data storage offerings, etc., they’re all one dimensional solutions, fighting a multi-multi-multi-dimensional problem. (Blockchain technology was the 2018 “end-all solution” for ID theft….but it too has not failed to guarantee safety) 

So many former and current FBI leaders, and other criminal investigation experts, have warned about the pure fact that it is not a matter of IF you will experience a data breach, but rather WHEN it will happen. Security firms and experts on data breach, ID Theft, and cyber security all understand that the root of the problem is actually inherent in the world’s rapid technological advancements and the public desire for increasingly more data mobility & accessibility. These factors, coupled with the human element (social engineering), are the real reasons that data breach and ID theft events are not stoppable. 

The human element is responsible for almost 70% of all data breaches, even though cyber theft events get the lion’s share of headlines in major news reports. The human element consists of much more than international organized crime or the local bad guys trying to hack into your business. It is the disgruntled employee, the negligent vendor, the absent-minded manager, or simply the misplaced laptop or thumb drive of personal data…..and the list could go on. 

So when faced with the inevitable truth about data breach and ID theft events, what is the best way for your credit union to be prepared for WHEN it happens? 

Without neglecting your efforts to “deter” these events through proper policies, awareness programs, and compliance, it is imperative to have a strong and sound plan for mitigation and restoration/recovery. Incorporate strategies and solutions to help maximize your credit union’s preparedness for, and ability to, support members in their time of need, and for your institution in its time of the unthinkable. An interesting trend that was recently revealed by a Scottsdale, AZ firm, Cornerstone Advisors, indicates that consumers, especially millennials, are turning to credit unions or other financial institutions for non-financial services such as ID theft protection. And, as reported in a CU Times article, the majority of millennials are willing to consider buying bundled services at attractive prices. 
​
The good news for your credit union is there are resources to help you accomplish all of this, while also providing an opportunity to generate non-interest income as you educate your members and provide them with protection against these data breach certainties. Something perhaps even Franklin would applaud and consider “a penny saved”…. a lot of pennies!

Synthetic identity theft is a growing threat to credit unions—costing financial institutions billions of dollars. It’s a type of fraud in which a criminal uses fake information, sometimes combined with real (usually stolen) data, to create a fictitious identity. This made-up identity is used to open fraudulent accounts and make fraudulent purchases.

Credit unions and other financial institutions often fall prey to synthetic identity theft since much of the information criminals provide them with is legitimate. Synthetic identity theft allows the criminal to steal from lenders by opening credit card, auto loan and other accounts. In January, Accenture PLC listed synthetic-identity fraud as one of the biggest threats facing financial institutions in 2018.

Synthetic identity theft may account for five percent of uncollected debt and up to 20 percent of credit losses, or $6 billion in 2016, according to some industry analysts. The problem is even more acute with auto loans. TransUnion says a record $355 million in outstanding credit-card balances was owed by people who it suspects didn’t exist in 2017, up more than 8x from 2012.
Synthetic identity fraud exploits a weakness in America’s consumer-credit system. Lenders often consider a loan applicant legitimate if the applicant has a credit report at one of the three credit bureaus. But a new “credit file”—essentially a precursor to a credit report—often gets created when someone simply applies, even if the loan gets denied. If one lender approves a loan for the fictitious individual, that information can make the file a full-fledged credit report.

How a “Phantom Borrower” is Born:

• Scammer applies for loan using fake identity
• Query to credit-reporting firm reveals no borrowing history. Applicant likely gets rejected
• Query results in a new 'credit file,' a precursor to a credit report. Suddenly, a new identity has been born
• Scammer applies for more loans, expanding credit file, giving lenders perception that applicant is real
  
  

TransUnion and Experian say it is difficult to distinguish between a “phantom borrower” and a real borrower who’s applying for credit for the first time and has identifying information that isn’t on file.

One of the reasons that more criminals are using the synthetic identity scam is because lenders have gotten better at protecting against traditional identity theft, which often involves using stolen data about real consumers. When bypassing actual consumers, scammers send fewer “red flags.”

While individuals probably won’t get a high-spending-limit card or large loan without a repayment history, some identity scammers pay bills promptly to qualify for higher limits, then default on larger loans or when credit card has been “maxed out”. It then costs financial institutions a myriad of hours to track down individuals who don’t exist.

Fortunately for lenders, synthetic identity fraud detection and prevention strategies have evolved, as well. Digital technology, neural networks and predictive analytics powered by machine learning and artificial intelligence are helping to more quickly scan large databases like those generated by data-furnishing front companies.
​
Protecting Your Credit Union from Synthetic ID Theft
Synthetic identity can cost a credit union thousands of dollars and numerous unrecoverable hours. Protecting your credit union from synthetic identity requires strong security and recovery programs.

1. Implement Strong Security Processes 
   The use of biometrics and cross-referenced background checks for identity verification can help stop synthetic identity thieves. Take extra precautions when applicants have no credit history.
   
   
2. Provide Fully Managed ID Recovery 
   Give account holders the right tools and support to keep them safe from synthetic identity theft. In the event their information is ever compromised, they’ll want to know that their credit union is there to help. Implement a Fully Managed Recovery (FMR) program that puts members’ service first and will act on their behalf during the entire identity restoration process.

​
Having greater cybersecurity preparedness needs to be the top priority for credit unions. This will help credit unions avoid becoming victims of synthetic identity fraud, as well as will create the basis for the ultimate response to any data breach or identity theft when it happens. Strong cybersecurity preparedness isn’t cheap, so credit unions must search and find solutions that also generates new income streams while delivering cybersecurity preparedness.

Source: "The New ID Theft: Thousands of Credit Applicants Who Don’t Exist” WSJ, 6 March. 2018.

With the one year anniversary of the Equifax data breach upon us, affecting over 147 million adult Americans, there is an ever increasing need for Americans to be “on guard” from the effects of this breach, and so many others like it (UBER, Sonic, UnderArmor, etc.). Credit Unions have a golden opportunity to show their members, and potentially new members, that they recognize the growing risks facing their members far outside the walls of the credit union itself.

A recent study conducted by a team of researchers at the University of Michigan School of Information shows that consumers (your members) have exhibited an optimism bias that has led to a significant degree of complacency or total lack of action in response to the Equifax breach.  Whether you call it “putting their heads in the sand”, “rolling the dice”, or exhibiting the “it hasn’t happened to me yet” syndrome, people (members) need to know they’re taking enormous risks with this complacent approach.  New account and Account Takeover fraud has increased more than 200% in the US over the past three years, thus magnifying the risks for members as they face more serious ID theft nightmares.

In a recent interview with FBI Retired-Special Agent, John Iannarelli, he explained that, “The criminals who perpetrated the Equifax breach will sit on the majority of data for as much as a year or more before using it. They know the nature of consumers is to get more complacent over time, long after a major breach. They know there will be an initial rush to have protection immediately following the breach, then folks just get lax, assuming it’s all safe and lose their vigilance. And that’s when the thieves will strike.”

The U of M report indicated that some consumers simply delay taking security related actions to protect themselves until after they know they are actually harmed.  There is a general lack of awareness about the best ways to protect themselves.  They don’t understand the extensive time and labor involved in managing the recovery efforts.  Most often they are mistaken about various monitoring services that they “believe” will prevent ID theft from happening. This lack of awareness issue includes a misinterpretation of how preventative services, or so-called “resolution services”, actually work, or don’t work, as they are led to believe from their descriptions.

Another interesting trend has recently been revealed by a Scottsdale, AZ firm, Cornerstone Advisors, which indicates that millennial consumers (members) are turning to credit unions or other financial institutions for non-financial services such as ID theft protection. And, as reported in last month's CU Times article, Millennials Open to Buying Non -Financial Services from CUs, the majority of millennials are willing to consider buying bundled services at attractive prices.

This new Cornerstone study reflects complementary results to an early 2017 study released by Assurant, Inc., which reported that the majority of surveyed US consumers were fearful of ID theft & cybersecurity.  Over 60% of the consumers indicated that they were “terrified” or “very concerned” about ID theft or cyberattacks, prompting 79% of the respondents to be “more likely” to buy protective services.

Another contributor to consumer complacency is a vast array of “technology wielding” companies urging consumers to trust in the next “magic pill” solution that will make all of the ID theft threats evaporate (i.e. remember how EMV chip cards would be the final answer?).  Recently, the hope of technology rests upon Blockchain companies to produce the fix for all identity theft.  However, subject matter experts such as Mark Pribish, VP & ID Theft Practice Leader at Merchants Information Solutions, have the insights into the reality of data breach events and their ID theft fallout, which reveal that the direct cause of many breaches and ID theft events are from human fallibility vs. technology attacks (i.e. hacking, malware). Therefore, the power of Blockchain solutions, which focuses predominantly on technology controlled data, will continue to face serious limitations as a means to end all identity theft.

In conclusion, credit unions have an excellent opportunity to take a leadership role by bringing members a real solution to preparedness against data breach & ID theft events. Pribish offers great advice in his own summation, “I recommend that companies and individual consumers focus on response and recovery—because it’s not a question of if, but when a company experiences a data breach even if your organization has implemented Blockchain technology…”  CU’s can make an enormous impact on their members with strong awareness programs and provide them bundled ID theft services with rich value propositions. Why should members be forced to find third party solutions online (via Amazon, Apple, etc.) with services from companies they do not trust at rates much higher than they’d expect from their trusted credit union?
​
So celebrate the one year anniversary of the Equifax breach with definitive action to serve your members before the next anniversary….and end your members’ confusion, complacency, and increasing vulnerability that criminals are using to their advantage.  

In light of last September’s Equifax data breach event – along with new proposed cybersecurity legislation – credit unions have an opportunity to enhance their cybersecurity best practices and generate residual non-interest income by offering identity theft and breach response services to its members.
 
Here are four lessons learned from the Equifax breach that can help protect your members and credit union:
 
Lesson #1 “the Equifax Affect,” no company can fully prevent a data breach from happening. Even Equifax, with more financial and IT resources than most companies in the U.S., wasn’t able to prevent a data breach from occuring.
 
In Equifax’s case, their data breach event affected 145 million U.S. consumers where information breached included names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers and more.
 
Lesson #2 “response and recovery,” where Equifax failed in multiple ways to respond in a timely and responsible manner.  First, and with irony, the Equifax breach happened because the company failed to fix a software flaw that federal officials had warned about months before. But to make matters worse, Equifax waited nearly six weeks to notify the public after learning of the hacking event.
 
When this crisis happened, Equifax’s failed management response resulted in its chief information officer and chief security officer “stepping down” and its CEO “retiring.”
 
Lesson #3 “the future of cybersecurity laws” could include the potential for criminal action for officers and board members of any size organization. CSOonline.com released an article titled The year ahead in cybersecurity law, where CSO states that “major legal cases and proposed state and federal legislation will shape how companies respond to and attempt to mitigate cybersecurity and data privacy risks.”
 
Lesson #4 “industry best practices should include response and recovery” as Risk and Insurance Magazine highlights in this article titled Cyber Threat Will Get More Difficult, where General Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, and current principal at the security consultant the Chertoff Group, stated that “companies should focus on response, resiliency and recovery when it comes to cyber risks.”
 
According to Hayden, “companies are focusing on the vulnerability aspect, and responding by building high walls and deep moats to keep attackers out.”  He said “If you do that successfully, it will prevent 80 percent of the attackers.”
 
“But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery,” said Hayden.
 
In an era of growing data breach risks, credit unions that offer data breach “response” services to their business accounts can differentiate themselves. These unique data breach recovery services can help to attract and retain business accounts, which will incrementally grow revenues. 
 
All businesses need strong document management policies and since financial institutions are particularly targeted by criminals,  credit unions need strong data breach response solutions themselves to help protect the institution, their members, staff and board of directors.
 
For all these reasons noted above, complying with NCUA Supervisory Priorities for greater cybersecurity preparedness needs to be the top priority for credit unions.  This will help credit unions avoid the “Equifax nightmare” and create the basis for the ultimate response to any data breach “when” it happens.  Credit unions must search and find solutions that will not only address cybersecurity preparedness, but also generate new income streams…because cybersecurity preparedness isn’t cheap.
 
Mark Pribish (mpribish@merchantsinfo.com) is the VP and ID Theft Practice Leader at Merchants Information Solutions, Inc., a leading ID theft and data breach services firm based in Phoenix, AZ.  He has authored hundreds of articles and white papers and is frequently interviewed by local and national media as an identity theft and data breach risk management expert.
 
Jim McCabe (jmccabe@veroproducts.com) is the SVP, Identity Theft Solutions, Vero, LLC, a subsidiary company of CU Direct.  Jim has developed his subject matter expertise in ID theft & data breach solutions and has contributed to industry publications & blog sites, while consistently speaking for conferences & webinars to foster awareness & education of best practices.
 
Request a WebEx by Vero to learn about unique solutions to maximize the preparedness of your CU, improve member value, and potentially increase non-interest income. 

Despite a heightened understanding and awareness of the importance of strong cyber security by everyone, the trend of data breach attacks continues to increase - impacting thousands of businesses and millions of individuals.  Last year, there was a 40% increase over 2015 in the number of businesses that were impacted by data breaches. Businesses of all sizes were hacked by criminals that used techniques such as ransomware and non-malware attacks to steal data.
 
No organization is safe from a data breach.  It’s no longer a question of “if”, but “when” a business will have its data compromised…per retired FBI special agent
  
Over the last five years, data breaches have recurrently made headline news as large businesses such as; Yahoo, Target, Home Depot, Dropbox, Ebay, JP Morgan Chase, Anthem and Living Social, were hit by hackers. Thousands of credit union cardholder members were impacted by these hacks.  Yahoo’s 2013 and 2014 hacks took 2-3 years to discover; allowing the criminals and black market even more time to devastate the victims’ identities. Most recently, restaurant chain Arby’s was hacked by malware that affected 1,000 restaurants and even more credit union members – very much like Wendy’s ’16 breach.
 
Although there are steps that organizations can take to help make themselves less vulnerable to a data breach, it is impossible for any organization to guarantee it won’t happen. 
 
Nearly two-thirds of Americans (64%) have personally been victims of data breaches. And 65% of US Consumers are terrified of experiencing an ID theft.
 
According to Pew Research Center’s most recent survey:

• 41% of Americans have encountered fraudulent charges on their credit cards.
• 35% have received notices that some type of sensitive information (like an account number) had been compromised.
• 16% say that someone has taken over their email accounts, and 13% say someone has taken over one of their social media accounts.
• 15% have received notices that their Social Security number had been compromised.
• 14% say that someone has attempted to take out loans or lines of credit in their name.
• 6% say that someone has impersonated them in order to file fraudulent tax returns.

 
To make matters worse, coinciding with the rise of data breach victims, there is now the new threat of Civil and Class-Action Lawsuits facing the businesses from these victims – driving new legal and settlement costs.
 
The aftermath of big company data breaches is almost always characterized by class-action lawsuits.  While not every litigation makes its way to the public eye, it is becoming more and more common for organizations of all sizes to face a civil or class-action lawsuit after a data breach.  The best way that credit unions and other organizations can protect themselves against litigation is to have a trusted Fully Managed Recovery System in place, such as Vero's IDProSelect.

The majority of Americans expect cyberattack on the nation’s banking and financial systems.
 
Many Americans lack confidence that various public and private institutions will be able to protect their personal information from bad elements.  While Americans often first turn to their financial institution after finding out that they’ve been a victim of a data breach, the majority of them also fear that a major cyberattack will occur on the nation’s banking and financial systems within the next five years.  Organizations that have implemented a Fully Managed Recovery System often have clients and members that have greater peace-of-mind.
 
Having programs in place for cyber security and data breach response is no longer just an option for credit unions.  For the second year in a row, the NCUA’s Supervisory Priorities have mandated that credit unions have a plan for 1) cyber security 2) member response and 3) fraud prevention.  Vero’s IDProSelect helps credit unions address these areas of NCUA's 2017 Supervisory Priorities. 
 
For more information on how your organization can protect itself from the ramifications of a data breach or to receive more information on Vero’s  IDProSelect, please contact Jim McCabe at jmccabe@veroproducts.com or call (480) 748-0403.

This is the time of year when criminals are most actively plotting and scheming, and credit union members are exposed and vulnerable.  Tax scammers are preying on members’ social security numbers for tax-related identity theft and other crimes.  In fact, nearly 50% of identity thefts are a result of unauthorized government documents, which include tax filings.

Tax season may just be starting, but these scammers have been hard at work. They’re waiting for an opportunity to steal members’ personal information for fraudulent tax refunds and other transactions.  Members that become victims of tax-related identity theft become a high target for other identity crimes since hackers use their same information to sell to the black market, get loans and impersonate the victims in a multitude of other matters. 

Being a victim of a tax crime can be a harrowing experience for members.  The resolution process with the IRS often takes between 12-24 months.  During this time and after, members’ personal information may be used for other crimes.  Once the tax-related case has been resolved, IRS will employ measures to help ensure that members’ tax accounts are not compromised again.  However, this does not fully protect your members from being victims of other forms of identity theft.
 
While the tax community must stay on top of security systems to protect taxpaying individuals and their businesses, financial institutions are also being counted on to protect their account holders’ identities and financial account information.  Credit unions that offer identity theft recovery and restoration services are best equipped to do this.  Victimized members that have been provided with identity theft recovery protection by their credit union can recover and protect their exposed identities easier and more quickly than those that do not have any identity recovery protection.  For example, members that are covered by Vero’s IDProSelect through their credit union, are assigned a personal advocate immediately upon confirmation or suspect of any form of identity theft.  When members become notified that their social security number has been compromised for tax-related theft, they need only to contact their ID theft advocate, who will handle all resolution steps for the member, as well as will have communication with the member throughout the entire process. 
 
Credit unions should advise their members to:

• Use the credit union’s identity theft recovery and restoration service (if one is provided).Vero’s IDProSelect provides complete case resolution, no matter how long it takes or how complicated the case becomes.
• Look out for IRS imposters. The Federal Trade Commission (FTC) has gotten thousands of complaints about one kind of scammer in particular — IRS imposters. They call members saying they owe taxes, with threats that they may be arrested if they don’t pay right away. They might know all or part of their Social Security number, and can rig caller ID to make it look like the call is coming from Washington, DC.
• File tax returns early in the tax season (before identity thieves do).
• Use a secure internet connection if filing electronically. Don’t use unsecure, publicly available Wi-Fi hotspots at places like coffee shops or a hotel lobby.
• Mail tax returns directly from the post office.
• Shred copies of tax returns, drafts, or calculation sheets that are no longer needed.
• ​Respond to all mail from the IRS as soon as possible. Let members know the IRS won’t contact them by email, text, or social media. If the IRS needs information, it will first contact by mail. Don’t give out Social Security numbers (SSN) or Medicare numbers unless necessary. Check their credit report at least once a year for free at annualcreditreport.com. Members can report IRS imposter scams to the Treasury Inspector General for Tax Administration (TIGTA) online or at 800-366-4484, and to the FTC at ftc.gov/complaint.  

​Sources:
February 2016 Federal Trade Commission Consumer Sentinel Report