Stanford Credit Union informed 18,000 members this week that their personal information was accidentally sent to another member after a name snafu.
The incident, which was outlined in a June 9 letter, occurred on April 30. Staff recognized the error within minutes, and the data was destroyed without being read by the recipient, President and CEO Joan Opp told the Weekly today.
The mistake was not a breach of the bank’s security system, Opp noted.
The data was a list of members who were pre-approved for loans. An employee sent the list to a longtime credit union member who had the same first name as the staff person who should have received the list, Opp said. The employee was communicating with the member at the time regarding a different matter.
The member had not viewed the information, Opp said, and staff immediately worked with the member to properly destroy it. The data included names, addresses, member numbers, tax identification numbers, loan offers and credit information.
The credit union delayed notifying members while weighing whether doing so would unduly concern them, since the information was never read. But “trust and transparency are important to us,” Opp said.
Stanford Credit Union has 55,000 members. The June 9 letter was sent only to those members whose information was sent in the email, Opp said. The letter assured affected members that their information was not seen by unauthorized persons and that they are not at risk.
“We take this issue extremely seriously and apologize for this internal error. While we have state-of-the-art technology and security systems in place to protect our member, human error is an unfortunate aspect of doing business. We have addressed the issue internally and taken a number of steps to ensure this type of incident cannot happen again, including installing additional software systems and instituting new operational protocols,” Opp wrote.
The credit union completely overhauled its information-management system in July 2012, according to its 2012 annual report.
Stanford Credit Union has experienced a 67.5 percent increase in total assets from 2008 through 2012. Its total assets in 2012 rose $136 million to $1.5 billion, according to its 2012 annual report.
The credit union’s actual regulatory net worth of $124.8 million, or 8.32 percent, is above the 7 percent required to be “well capitalized” by the National Credit Union Administration, according to the report.
Wait — it took SIX WEEKS to notify affected Stanford Credit Union members of this security breach?
Exactly who is running that circus???
Strike three!
Moving our accounts outta there!!
Circus, indeed.
I talked to SFCU today. It really was not that big of a deal. I asked questions, they answered and explained it. I feel better dealing with them much better than Bank of America for sure.
The receiving computer hard drive was wiped cleaned before anything was opened – I just think some people are over reacting, it wasn’t a “breach”.
> The receiving computer hard drive was wiped
> cleaned before anything was opened
You get an email with a large attachment.
You get a call from the sender who says it was sent in error, and would you simply delete the email without opening the attachment.
Why would you “wipe” the disc clear before deleating the email?
“Wiping” (which would seem to imply a complete format) is the last thing I would do if someone sent me an email that had compromising data in it.
Once again, it seems like we are not getting the straight story here.
We closed our account there three years ago, after finally losing patience with their many mistakes. overcharges of interest on car loans, failure to correct or even admit blaring mistakes, etc.
They even moved our daughter’s college fund to a different account with a new number without our knowledge or permission. Then, when we tried to draw on it, they bounced the check and refused to refund the overdraft fee ( they tried at first to tell us the account was closed).
I am so glad we fired them when we did!
This piece is almost word for word in the letter I received from SFCU. There is hardly any reporting here except for a rewrite of a press release. As someone impacted by this egregious security breach I am appalled by the shoddy reporting. We need someone to address important questions like
1. How is it possible for an employee of any bank to email such a sensitive document to an external person?
2. How could a bank have all the necessary information required for identify theft of 18000 people to be stored in one document?
3. How do the governing federal agencies view this security breach?
4. If they are confident that this is just a snafu why are they giving away 1 year credit monitoring for free – this wasn’t reported by the weekly?
5. Why did it take them 6 weeks to let the affected parties? (Not unduly concern members, really!!!)
So what is the real story here.
Sounds like business as usual. Nobody’s perfect, and with today’s technology we are provided with infinite ways to mess up.
I closed my account there because they would charge me $5.00 a month for inactivity when I made no transactions. I didn’t believe that is justification for a charge. If you don’t bother them at all they charge you for it?? My small account was getting totally eaten up by these fees.
As Glenn pointed out there was no actual breach, and the human error — admittedly hugely careless — was immediately corrected before any data was accessed and that procedures were immediately enacted to prevent any similar recurrence.
I have personally had no problems with SFCU whatsoever in the last 15 years…in fact, they called me when they figured a way for me to have lower fees. How many banks give that sort of personal service?
A few years ago I closed out other accounts at both Bank of America and Wells-Fargo after serious personal security lapses at each bank. One of these banks allowed my financial accounts/history to be used in my former spouse’s post-divorce real estate transactions despite my having taken the final divorce papers to the institution to prevent such an occurrence. The other institution continued to report a closed account as open to all 3 credit agencies for 5 years. Talk about sloppy.
I think the fact that SFCU has had a 67.5 % increase in assets since 2008 is at least partially attributable to it’s growth in a satisfied membership.
But PAOnline continues to report any story — particularly if it involves Stanford — as a potential scandal, even when they don’t have all of the facts. Witness this week’s story, where “she-said-without-the-he-said constitutes the entire “news” story and comments that question articles are simply purged by the editor. It is amazing that this organization wins journalism awards, but these days journalism is a very different animal.
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. (Wikipedia) First thing first, my account number, my credit information, my social security number which the credit union so cleverly tried to disguise by calling it my ‘Tax ID’ number coupled with my birth date, full name and address makes this data very sensitive and confidential. It was explained that this wasn’t a breach of the bank security system, but the credit union failed to recognize the data was breached because someone transmitted my personal information to someone unknown to me and who more than likely viewed the data and possibly copied the data. I personally do not believe that the unauthorized person did not view the list that was emailed to him. How can Stanford Federal Credit Union guarantee that this unauthorized person did not copy my personal information to an external drive, a USB drive, the cloud or anywhere else? They CAN’T.
The CEO, Joan Opp, says trust and transparency are important, and yet it took over a month to notify customers about this breach. Yes, IT IS A BREACH, so call it what it is. Why did the CEO wait over a month to respond to this data breach? Common sense would have said, ‘Inform you customers, IMMEDIATELY!’ More distressing is that the credit union Board of Directors (sfcu.org), all employed by or previously employed by Stanford University and Stanford Hospital did not instruct the CEO to notify the 18,000 customers of this breach the day it happened. Unbelievable! These Stanford and former Stanford employees have access to the brightest people in the world. Within minutes of this data breach, any of these individuals could have consulted the Law School, the Business School, the Medical School, or Engineering and Technology, and they would have been informed of the consequences of not immediately notifying customers of a personal data breach. So if the CEO doesn’t have enough common sense to inform customers of a data breach and doesn’t have a competent legal team to consult with, then she definitely has a Board who does.
The credit union does not own my personal information. I entrusted Stanford Federal Credit Union to keep my money and personal information safe. The credit union CEO does not get to make the decision that my personal information, which fell into the hands of an unauthorized person, has or has not been breached. Stanford Federal Credit Union should let me and its customers decide for ourselves whether our personal information has been compromised. It is our personal information and we are the ones who suffer the consequences when our personal information is compromised. The credit union’s customers should be given the opportunity to act immediately to protect themselves. The CEO who made the decision to delay notification took this opportunity away from us. The ‘internal error’ was not the human error of an individual who accidently emailed the data to an unauthorized non credit union person. The internal error was by the credit union’s CEO who intentionally waited over a month to communicate this data breach to me and 17,999 Stanford Federal Credit Union customers. I will be closing my accounts with this credit union.
There could be any mistakes until they don’t threaten the security of personal data. I hope it was not a serious problem. Just to avoid any hassle with data entry and be sure in the security of your personal details I recommend to use http://paydayloansonlineservice.com/. It’s an on-line service that provides short-term loans without any faxing the documents. So it’s very convenient and useful when you need quick extra money. You just need to fill in the application form and confirm your solvency.
wh0cd771744 [url=http://cialis.us.com/]tadalafil[/url] [url=http://buyamoxicillin.us.com/]amoxicillin pills[/url] [url=http://promethazine.us.com/]promethazine[/url] [url=http://rimonabant.us.com/]rimonabant[/url]
wh0cd760092 [url=http://femaleviagraforyou.us.com/]buy female viagra online[/url] [url=http://amitriptyline.us.com/]buy elavil[/url]