Equifax Cyber Security Attack – Part 2

Equifax Cyber Security Attack – Part 2
Posted: Oct 19, 2017
Comments: 0

What credit unions need to be on the look out for

The recent breach of Equifax accounts represented something far worse than breaches of card data (such as name, card number, expiry, and in some cases addresses) as has happened at Home Depot, Target, Chipotle, Arby’s, Michael’s and several other brick and mortar and online locations. In this case, much more than card data was compromised.  The data stored at Equifax includes social security numbers, account history, drivers’ license numbers, phone numbers, email addresses, birthdates, history of previous addresses and employers – all the information that is used to verify new banking customers or to reset lost passwords.

Furthermore, in previous cases, victims of breaches were customers of the entities that were compromised – a cardholder used their card to make a purchase. The cardholder was then made aware of the breach by their credit union or bank. The issuer of their card notified the cardholder of the potential compromise, shutdown the card, and reissued a new one. In the Equifax case, the vast majority of the nearly 150 million accounts that were compromised never had any relationship with the company. Worse, most average consumers don’t even know who Equifax is, or why Equifax has all that data about them.

How credit unions can protect themselves from fraudsters

In a previous article on the Equifax breach that appeared on,  we identified seven items or activities that credit union member facing and marketing staffs should become familiar with to proactively educate members. While the information offered in that article will help to protect credit union members, what about protecting the credit union itself?  In this article, we look at another aspect of the breach – what credit unions need to be on the lookout for.

For example, many credit unions have tried to make it easy to onboard new members who want to get a credit union credit card or get a loan, by allowing a potential new member to complete everything online. If a person visits a branch office, credit union staff can check ID. But the bad guys are not going to come into a branch where their identity could be captured on surveillance camera.  They are most likely operating remotely from other countries, buying the data from these breached accounts on the dark web, and using the data to submit loan or line of credit applications.

The breached Equifax accounts with the most accounts and the highest credit limits (which usually equates to the highest FICO scores) will be the most valuable ones to buy on the dark web. (Read more about the dark web here). Using these stolen accounts, the bad guys will attempt to get a high limit credit card, max it out, and leave the credit union with the liability, along with a potential negative entry in the real person’s credit report. A person checking their transactions at their financial institution may never realize that an account at another institution – your credit union - has been opened in their name, using their good credit.

Credit unions should expect fraudsters to attempt to become new members and at the same time open credit cards or possibly personal loans. A fraudster is likely to repeat this at many financial institutions. The fraudster will then max out the card, or transfer the proceeds of the loan to a prepaid account to launder the money. It is somewhat likely that the card or loan will be opened using most of the stolen identity, but with a different mailing address and a different email address than what’s in the Equifax file, so that the real person will not get immediate notification. This is called synthetic fraud, where accurate information for a person’s identity is combined with fictitious or fraudulent items to create a new ID. Before the Equifax breach, synthetic ID fraud accounted for nearly one-fifth of credit card charge-offs.

Steps credit unions need to take to try to fend off synthetic fraud

Many credit unions have automated loan decisioning – the parameters that are used to make the decision should be tightened to not allow exceptions in reported information. Likewise, credit checks on new members should be scrutinized for application information that doesn’t match what’s on file. Unfortunately, this involves more manual reviews, which could slow lending processes and raise operational costs. But that is a small price to pay to prevent much bigger losses due to what some are calling the most damaging breach to date. With the right preventive measures, credit unions will not see unnecessary write-offs due to fraudulent account openings.

Rate this article:
No rating
Stephanie  Hainje

Stephanie HainjeStephanie Hainje

Trellance's Director of Education, Stephanie Hainje is an experienced card industry professional with credit and debit card program management from her previous career at Purdue Federal Credit Union, a leading affinity credit card issuer and top 100 Visa USA issuer.

Other posts by Stephanie Hainje

Full biography , Contact author

Please login or register to post comments.


Featured Stories