The FLEX Connexion Blog

8 Lessons Credit Unions Should Learn from 2014 Data Breaches

Written by Preston Packer | Dec 9, 2014

I engaged in a bit of industry research over the Thanksgiving weekend when I was recovering from my food coma.  Perhaps it was the turkey and stuffing that got me motivated to sit and research the latest trends for credit union core processors.  Or most likely it was the two slices of pumpkin pie that gave me the energy.  It certainly could have been the scoop of ice cream I put on top of the pie... 


Whatever the motivating factor, I did come across an article in American Banker that I wanted to share.  It's entitled "Eight Lessons for Banks from the Data Breaches of 2014" and it is certainly worth the entire read.  I will however, summarize and adapt the article as it relates to credit unions.

Investigations of the major data breaches of 2014, which have involved about 927 million consumer records, are shedding light on the dark world of cyber crime. Here are the 8 Lessons Credit Unions Should Learn from 2014 Data Breaches:

  1. Hackers have become better organized:  According to a recent Rand report, 80% of hackers were freelancers, and 20% were part of larger organizations, 10 years ago; today that ratio is reversed.  Many of these organizations look like typical businesses with a normal corporate infrastructure.  Sometimes the hackers work together at the same location, and other times they are just emailing back and forth across great distances, but all are working toward a common goal. Often they are tied to traditional criminal organizations.

  2. Law enforcement is aggressively going after the black markets for stolen data:  U.S. law enforcement agencies, including the FBI, the Secret Service, and the Department of Homeland Security, are getting better at catching bad behavior on the Internet, partly because of collaboration among countries and among groups in this country, including the Financial Services Information Sharing and Analysis Center.

  3. Employees are often the weakest link: Eighty percent of breaches have a root cause in employee negligence or human error, according to Michael Bruemmer, a vice president in Experian's Data Breach Resolution group, which has investigated close to 3,000 data breaches in the past year. For instance, employees lose laptops, create weak passwords and have their administration credentials stolen, among other mistakes.

  4. Third-party providers are a huge target:  Hackers, most notably those who broke into Target's point-of-sale network, have discovered that going after a third party, such as a heating and air conditioning provider, is also much easier than attacking a business directly. While eliminating third parties is not an option, choosing trusted vendors,especially with your core, is key.  And having a core that develops software natively and with true integration surely only helps your security.

  5. Data breach fatigue is setting in: American Banker recently asked readers about the effect of frequent news reports about data breaches. A little more than a third said they were experiencing fatigue and getting desensitized. A quarter said the news was making them extra vigilant about security. About 10% said they thought more consumers would try to stay off the grid and pay with cash. In the financial industry, small banks and credit unions often think a breach will not happen to them, that only large companies are targets, Kouns says. "That's not true. All organizations, in all industries and of all sizes, are susceptible."

  6. Open source software libraries will continue to be targeted: Some data breaches of the past year took advantage of vulnerabilities in popular open source software.

  7. Payment data breaches are expected to rise, then fall, as a consequence of the U.S.'s adoption of EMV card standards.

  8. Business leaders are being held more accountable for data breaches: The most obvious example of a head rolling after a data breach is Gregg Steinhafel, who was forced out as the CEO of Target in May, several months after the company's CIO, Beth Jacobs, lost her job for the same reason.

Integration reduces third party risk

Perhaps what got me most excited after my Thanksgiving feast was reading number 4 above.  I encourage you to read our blog post from a few weeks ago if you haven't already:  Integrated Apps – The Sum of all Parts.  Cohesively designed from the inside out, FLEX is the most complete, natively-developed core credit union solution, and is focused on true integration, eliminating some of the risks with data security.    Learn more about FLEX and our truly integrated apps for credit union core technology by downloading our FLEX brochure!

In the meantime... Do you think the leftover pie is still ok to eat?