Heartland Breach - 600 million affected?

I need to know what other community bankers are doing in response to the Heartland Breach.
If you don't already know, information is available at www.2008breach.com. Some sources are saying 600 million debit and credit card numbers - including MasterCard, Visa, American Express, and Discover Financial - were compromised. Your vendor (the entities on the back of your debit and credit cards) can tell you if your bank was affected. (Non-bankers, your bank can tell you or soon will be able to tell you).

Our vendor has said we have the option of issuing all new cards to all affected customers (at a cost of over $20,000 to the bank, which will not be reimbursed), or issuing letters to all affected customers (still will cost thousands and lots of time and staff). If your bank or financial institution is affected, please respond with:

# of affected cards - Response chosen (letter or automatic card replacement) - estimated cost - Your region (i.e., Westcoast, Southeast, Eastcoast, Midwest)

Ours:
4,000 cards - Sending a letter - estimated cost $1,500 plus staff time - Region = Southeast

I think we need to get a feel for what others are doing so our response makes sense within the context of the rest of the country. If this has been addressed elsewhere at BOL, please advise.

Thank you!

Upstate NY approx 2000 cards, letter and reissue. Don't have the est. cost on hand right now.

Texas (Houston area) approx 1200 cards, letter and reissue. Aprox cost $6000.00. Not including possible loss from card that have been compromised $5500.00. OUCH!

Phoenix AZ approx 12000 cards, letter and reissue. About $35000 cost, not including confirmed $12000 in fraud losses (and likely to be more).

Napa CA, so far 25 cards - letter & reissue. Losses to date exceed $10,000 & growing.

Texas - 800 cards and still getting reports everyday!!! I hate this.

Are your losses coming from outside the US?

approx 1,000 - letter & manual card replacement - unknown cost no losses taken (we've blocked all signature based transactions in Mexico & that has reduced our lossess significantly) - Northern CA.

MidAtlantic region- 2,300 + cards; 10,000 cost for replacing. Contacting customers, hotcarding and replacing.

Is everyone reissuing for cards that are low risk as well?

We have decided not to automatically reissue for those that are low risk. We are leaving it up to the customer whether they want to order a new card or not.

Visa or Master Card doesn't require us to reorder but what happens if the customer comes forward a while down the road and makes a complaint will they still reimburse them? What is the time frame that customers need to notify of a problem. Also, do any Financial's get reimbursed from these card companies for reissuing for the high risk? I doubt it, but thought I would throw it out there.

Is anyone sending a letter to their customers whose card has been compromised? If so, would you be willing to share your verbiage.

Thanks!

Sure, send me a PM with your email address.

Has anyone talked to their core processor about utilizing a neural network system that monitors and shuts down debit card activity that appears fraudulent? I used to work for a bank that would not always reissue cards during a major compromise. They felt with the software in place, it protected the bank from low and intermediate breaches. They kept an Access database of compromised card notices from Visa Cams and compared that to unusual debit card losses. If they saw trend losses in a previous Cams alert, where cards were being affected, they could make a decision to cancel and reissue from that previous alert.
Metavante banks have a solution called PRM. Fiserve has something similar as well. I am not suggesting this time that banks don't reissue, as we have all seen some pretty large losses. But now is the time to consider some type of procedure that takes a risk management approach to reissuing or not in the future. Spending more money on reissuing cards than what you would experience in future losses doesn't make much sense. Not taking into consideration the inconvenience of the customer. God forbid-what if we have another major breach in six months. How do you explain to your customer that their card has been compromised again, when their Chase credit card that they have had for twenty years has never been cancelled??

In middle of Texas, 1,000 cards hotcarded with new ones issued; no known losses; letters sent to those possibly compromised (letter from Fifth Third as an example); cost of $5,000

Small community bank in Oklahoma with 3 branches - approx. 1000 cards affected (so far!), sending letter with new card in it for them to activate, expiring current cards in March, cost is about $3000 and rising.

With reissue costs per card as low as what everyone is reporting, I assume no one is paying for the extra fraud reporting (and expensive) "continued protection" available?

Western US, 34,000 cards. No reissue and no letter. We are using VISA DPS and have had no fraud related activity on the cards to date. Similar experience with TJ Maxx with same response and we had a very good outcome with no impact to customers and limited losses (significantly less than cost of a re-issue) to the bank.

Southeast. 7,000 cards. No reissue, no letter. Statement stuffer "Watch for fraud and alert us of any problems...Your card may have been affected by a breach affecting hundreds of millions of cards of all card types nationwide..."

We have been notified of compromised cards, but no documented loss other than card replacement. Should we file a SAR? I do not think law enforcement will benefit from knowing we had cards that may have been compromised. What are others doing?

I'm bumping this back up since it didn't get an answer. For informational purposes, did anyone actually file a SAR on this?

No we didn't. Our fraud was under the 25k for unknown suspect. We did have another localized merchant breach a year or so before this that was happening when the FDIC was here and they commented that they felt we should file a SAR even though our losses were under the reporting limits. Visa was already involved at that point and I thought what would the point be. I feel the same with Heartland, what would the point of filing SARs when the whole world already knows about it. But if you look at the definitions, it does appear that if it meets the reporting thresholds we should file. Anyone else have any thoughts or experience with this?

We didn't meet the threshold either. Did anyone file it under "computer intrusion"?

I wouldn't file a SAR, the authorities know about, the regulators know about it, they caught the perpetrators (if I remember correctly), it would be an unnecessary filing IMHO.

Be careful ... this is how Riggs bank got nailed. (or was it the other one?) Anywho - if it hit the treshold of over $25K - it would be considered Credit/Debit Card Fraud & Identity Theft. You are obligated to file. Because the regulators know, is all the more reason to file.

This would not be (IMHO) Computer Intrusion as your computers were not intruded upon.

We had an examiner ask why we hadn't filed it under a computer intrusion. My interpretation of a computer intrusion has always been our system. If you are caught up in someone elses problem, such as the Heartland case should you then be filing a SAR?

It is NOT computer intrusion.

Characterization of Suspicious Activity - Reportable Condition
Possible Federal Criminal Statute(s)
Explanation/Description

Computer Intrusion
18 U.S.C. Section 1030 – Computer Fraud
A person who gains access to a computer system of a financial institution to:

Remove, steal, procure or otherwise affect funds of the institution or the institution's customers
Remove, steal, procure or otherwise affect critical information of the institution including customer account information; or,
Damage, disable or otherwise affect critical systems of the institution.
Note: Does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information

See The SAR Activity Review for additional information on Computer Intrusion at the following hyperlink: http://www.fincen.gov/sarreviewissue3.pdf