Saturday, February 14, 2009

Darn, I'm a breach victim......

I just got the following email.
Important Message from Pentagon Federal Credit Union
Ref. Card Number
Ending In: XXXX

Dear Member,
Visa Fraud Control has recently notified us that your Pentagon Federal Credit Union Visa credit card account number, name, expiration date, and CVV (a three-digit verification value on the magnetic stripe of the plastic) may have been compromised in a processor level breach at Heartland Payment Systems, Inc. Heartland Payment Systems, Inc. is one of the nation's largest payment processors delivering credit/debit/prepaid card processing, payroll, check management and payments solutions. Heartland has dedicated a website, to provide additional information on the breach.

Information pertaining to your other Pentagon Federal Credit Union account(s) has not been associated with this event or compromised in any way. The compromise did not occur at Pentagon Federal Credit Union nor did it involve any of our systems. All of your Pentagon Federal Credit Union account information remains absolutely secure.

We continue to take all necessary precautions to safeguard and monitor your Pentagon Federal Credit Union accounts to protect against unauthorized activity. We have provided a series of frequently asked questions below that provide additional details and tips.

Please review them and if you would like to receive a new card with a new account number, please use the instructions provided below. You may reach us toll free at 800-247-5626 or online at

If you have recently closed the referenced card, please disregard this correspondence. We apologize for any inconvenience this may cause. We appreciate the continued trust you have placed in Pentagon Federal Credit Union. Thank you for remaining a valued member.

Vincent Gay
Director, Security
Pentagon Federal Credit Union

In this simple email we see the complexity of breach notification. Let me say for the record that I love PFCU -- I've been a member of PFCU for many years and will continue to be for many more.

On the negative side of this notification is the ambiguity. My information "may have been compromised" -- not sure if it actually was, so I'm not sure what the actual risk is. They're fulfilling a legal and/or ethical obligation to tell me the nature of the breach, but are they really helping me by telling me that it's a "processor level breach", without further explanation? And how am I as a consumer supposed to assess my level of exposure? Does this mean that there was an actual intrusion of Heartland's environment, or that they discovered a security hole that could have been entered without their knowledge but they really have no idea whether it was.

On the positive side, I'm alerted, so I myself can keep my eyes open for suspicious activity.

This notification was for a relatively simple incident in a disciplined corporate setting, and it still raises more questions than it answers. Makes me wonder about how we're going to strike the right balance as we move to stricter breach notification regimes in health care.....

1 comment:

Carla said...

I really like your posts u always come up with a different way to express your stuff keep it up