How To Deal With A Breach

Data Breaches are a Big Problem

Merchants are not subject to the same data protection laws and standards as financial institutions, such as credit unions and banks. This means that some merchants fail to invest sufficiently in data security measures. As a result, it can be easier for hackers to gain access to personal information through a merchant, which may include credit and debit card numbers, debit personal identification numbers (pin), or other sensitive data. Hackers can then sell this information to bad actors, or use it themselves to fraudulently buy things or open new accounts with the stolen data.

For the past several years, merchant data breaches have been increasing.

Skyrocketing Number of US Data Breaches

Number of Breaches up 350% in Past Decade – up 44% over 2016.
178,955,069 Records Breached in 2017 alone!

Source: Identity Theft Resource Center

Fraudsters Gravitate to Those with Weakest Controls

Percent of Total Breaches

Source: Identity Theft Resource Center

A number of merchants have a bad track record and shift their mistakes to others

Although most consumers have probably only heard about a few breaches, over 1200 data breaches occurred in 2018 which exposed more than 197 million data records – a 126% increase over 2017. The number of records breached in 2018 is likely much higher since only half of the breaches reported included the number of records exposed.

Source: The Identity Theft Resource Center

When a data breach occurs, the merchants are not required to pay the costs associated with reissuing new cards to individuals and generally pay none of the fraudulent charges resulting from a breach that an individual may have on his or her cards or accounts. Even when merchants are responsible for the breach, they are rarely required to pay ANY costs incurred by others. Who is stuck paying these costs for data breaches? Your Credit Union or Bank—and ultimately, consumers like you.

If merchants can shift most of the costs of their data breaches to others, what incentive is there to increase their data security?

The answer is simple, none.

For More Information, Read the Op-Ed Pieces Below

Merchants must take responsibility

By: Jill Nowacki
New Britain Herald

Merchants must be required to safeguard financial data

By: Paul Gentile
Providence Business News

Credit Unions Have Been There to Protect Their Members and Customers

Consumers will be protected from fraudulent charges on their cards due to a breach, and the cost is generally picked up by the credit union, not by the merchant where the breach occurred.

Financial institutions are limited by law in disclosing many of the circumstances of a data breach. Often, they are not able to disclose the merchant responsible.

Financial institutions clean up the mess when a merchant data breach occurs by informing members and customers and reissuing new credit and debit cards if required. In addition, financial institutions pursue cyber criminals through available legal channels on behalf of their members, saving them time and legal expenses.

While the migration to chip cards has helped curb counterfeit card fraud, it’s still a problem. Data from compromised chip cards can be used to encode the magnetic stripe on counterfeit cards. Those cards can then be used for card present fraud at merchants. Instead of inserting the chip card in a chip-enabled point-of-sale (POS) terminal, the counterfeit cards are swiped at the POS terminal’s magnetic stripe reader. As expected, the migration to chip cards has also resulted in an increase in card-not-present fraud.

Ensuring the safety of members’ data is a top priority of your credit union.

Credit Union Members and Bank Customers Get Stuck With The Bill

After the Target breach for example, credit unions were left on the hook for $30.6 million, according to estimates by the Credit Union National Association (CUNA). Additionally, credit unions reissued roughly 4.6 million credit and debit cards in the aftermath.

Financial institutions not only cover the cost of fraud, but also costs of blocking transactions, reissuing cards, increasing staff at call centers and monitoring consumer accounts.

The data breach at Home Depot was larger than Target, costing credit unions an estimated $57.4 million dollars.

When a data breach occurs the merchant often shifts most of the costs and consumers are ultimately the ones that foot the bill.

Sometimes, financial institutions are reimbursed for data breaches, but when they are, the reimbursement covers only a portion of the total cost.

Helpful Solutions to Data Breaches


and consumer notification standards with effective enforcement provisions are needed to ensure sensitive data is protected.


and notification standards that credit unions and banks are already subject to.


and regulations in favor of strong federal data protection and notification standards.


members and customers about a breach, including where it occurred.


for all those involved in the payments system for protecting consumer data.  The costs of a data breach should ultimately be borne by the entity that incurs the breach.

Time To Take Action


  • Let Congress know it is time to take action and hold merchants accountable for data breaches. Stop the Data Breaches!
  • Tell Congress merchants should be required to reimburse credit unions for the costs they incur as a result of merchant breaches.
  • Let Congress know that credit unions should be able to tell their members the name of a merchant causing the data breach.
  • Click here to Take Action NOW