Stanford Credit Union accidentally releases member data

Officials say the personal data was never read, members not at risk

Stanford Credit Union informed 18,000 members this week that their personal information was accidentally sent to another member after a name snafu.

The incident, which was outlined in a June 9 letter, occurred on April 30. Staff recognized the error within minutes, and the data was destroyed without being read by the recipient, President and CEO Joan Opp told the Weekly today.

The mistake was not a breach of the bank's security system, Opp noted.

The data was a list of members who were pre-approved for loans. An employee sent the list to a longtime credit union member who had the same first name as the staff person who should have received the list, Opp said. The employee was communicating with the member at the time regarding a different matter.

The member had not viewed the information, Opp said, and staff immediately worked with the member to properly destroy it. The data included names, addresses, member numbers, tax identification numbers, loan offers and credit information.

The credit union delayed notifying members while weighing whether doing so would unduly concern them, since the information was never read. But "trust and transparency are important to us," Opp said.

Stanford Credit Union has 55,000 members. The June 9 letter was sent only to those members whose information was sent in the email, Opp said. The letter assured affected members that their information was not seen by unauthorized persons and that they are not at risk.

"We take this issue extremely seriously and apologize for this internal error. While we have state-of-the-art technology and security systems in place to protect our member, human error is an unfortunate aspect of doing business. We have addressed the issue internally and taken a number of steps to ensure this type of incident cannot happen again, including installing additional software systems and instituting new operational protocols," Opp wrote.

The credit union completely overhauled its information-management system in July 2012, according to its 2012 annual report.

Stanford Credit Union has experienced a 67.5 percent increase in total assets from 2008 through 2012. Its total assets in 2012 rose $136 million to $1.5 billion, according to its 2012 annual report.

The credit union's actual regulatory net worth of $124.8 million, or 8.32 percent, is above the 7 percent required to be "well capitalized" by the National Credit Union Administration, according to the report.

We can't do it without you.
Support local journalism.


1 person likes this
Posted by UC Davis Grad
a resident of Mountain View
on Jun 12, 2014 at 4:11 pm

Wait -- it took SIX WEEKS to notify affected Stanford Credit Union members of this security breach?

[Portion removed.]

1 person likes this
Posted by Cubberley neighbor
a resident of Greenmeadow
on Jun 12, 2014 at 5:06 pm

Strike three!
Moving our accounts outta there!!
Circus, indeed.

Like this comment
Posted by Glenn
a resident of another community
on Jun 12, 2014 at 9:52 pm

I talked to SFCU today. It really was not that big of a deal. I asked questions, they answered and explained it. I feel better dealing with them much better than Bank of America for sure.

The receiving computer hard drive was wiped cleaned before anything was opened - I just think some people are over reacting, it wasn't a "breach".

Like this comment
Posted by Just-The-Facts-Please
a resident of Another Palo Alto neighborhood
on Jun 12, 2014 at 10:15 pm

> The receiving computer hard drive was wiped
> cleaned before anything was opened

You get an email with a large attachment.

You get a call from the sender who says it was sent in error, and would you simply delete the email without opening the attachment.

Why would you "wipe" the disc clear before deleating the email?

"Wiping" (which would seem to imply a complete format) is the last thing I would do if someone sent me an email that had compromising data in it.

Once again, it seems like we are not getting the straight story here.

1 person likes this
Posted by Weelz
a resident of another community
on Jun 13, 2014 at 12:46 am

We closed our account there three years ago, after finally losing patience with their many mistakes. overcharges of interest on car loans, failure to correct or even admit blaring mistakes, etc.

They even moved our daughter's college fund to a different account with a new number without our knowledge or permission. Then, when we tried to draw on it, they bounced the check and refused to refund the overdraft fee ( they tried at first to tell us the account was closed).

I am so glad we fired them when we did!

1 person likes this
Posted by Stanford Grad
a resident of another community
on Jun 13, 2014 at 12:31 pm

This piece is almost word for word in the letter I received from SFCU. There is hardly any reporting here except for a rewrite of a press release. As someone impacted by this egregious security breach I am appalled by the shoddy reporting. We need someone to address important questions like
1. How is it possible for an employee of any bank to email such a sensitive document to an external person?
2. How could a bank have all the necessary information required for identify theft of 18000 people to be stored in one document?
3. How do the governing federal agencies view this security breach?
4. If they are confident that this is just a snafu why are they giving away 1 year credit monitoring for free - this wasn't reported by the weekly?
5. Why did it take them 6 weeks to let the affected parties? (Not unduly concern members, really!!!)

So what is the real story here.

1 person likes this
Posted by musical
a resident of Palo Verde
on Jun 13, 2014 at 12:46 pm

Sounds like business as usual. Nobody's perfect, and with today's technology we are provided with infinite ways to mess up.

Like this comment
Posted by SCB94303
a resident of Adobe-Meadow
on Jun 13, 2014 at 3:14 pm

SCB94303 is a registered user.

I closed my account there because they would charge me $5.00 a month for inactivity when I made no transactions. I didn't believe that is justification for a charge. If you don't bother them at all they charge you for it?? My small account was getting totally eaten up by these fees.

Like this comment
Posted by neighbor
a resident of another community
on Jun 13, 2014 at 3:51 pm

As Glenn pointed out there was no actual breach, and the human error -- admittedly hugely careless -- was immediately corrected before any data was accessed and that procedures were immediately enacted to prevent any similar recurrence.

I have personally had no problems with SFCU whatsoever in the last 15 fact, they called me when they figured a way for me to have lower fees. How many banks give that sort of personal service?

A few years ago I closed out other accounts at both Bank of America and Wells-Fargo after serious personal security lapses at each bank. One of these banks allowed my financial accounts/history to be used in my former spouse's post-divorce real estate transactions despite my having taken the final divorce papers to the institution to prevent such an occurrence. The other institution continued to report a closed account as open to all 3 credit agencies for 5 years. Talk about sloppy.

I think the fact that SFCU has had a 67.5 % increase in assets since 2008 is at least partially attributable to it's growth in a satisfied membership.

But PAOnline continues to report any story -- particularly if it involves Stanford -- as a potential scandal, even when they don't have all of the facts. Witness this week's story, where "she-said-without-the-he-said constitutes the entire "news" story and comments that question articles are simply purged by the editor. It is amazing that this organization wins journalism awards, but these days journalism is a very different animal.

Like this comment
Posted by Member
a resident of Los Altos
on Jun 17, 2014 at 6:51 am

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. (Wikipedia) First thing first, my account number, my credit information, my social security number which the credit union so cleverly tried to disguise by calling it my ‘Tax ID’ number coupled with my birth date, full name and address makes this data very sensitive and confidential. It was explained that this wasn’t a breach of the bank security system, but the credit union failed to recognize the data was breached because someone transmitted my personal information to someone unknown to me and who more than likely viewed the data and possibly copied the data. I personally do not believe that the unauthorized person did not view the list that was emailed to him. How can Stanford Federal Credit Union guarantee that this unauthorized person did not copy my personal information to an external drive, a USB drive, the cloud or anywhere else? They CAN’T.

The CEO, Joan Opp, says trust and transparency are important, and yet it took over a month to notify customers about this breach. Yes, IT IS A BREACH, so call it what it is. Why did the CEO wait over a month to respond to this data breach? Common sense would have said, ‘Inform you customers, IMMEDIATELY!’ More distressing is that the credit union Board of Directors (, all employed by or previously employed by Stanford University and Stanford Hospital did not instruct the CEO to notify the 18,000 customers of this breach the day it happened. Unbelievable! These Stanford and former Stanford employees have access to the brightest people in the world. Within minutes of this data breach, any of these individuals could have consulted the Law School, the Business School, the Medical School, or Engineering and Technology, and they would have been informed of the consequences of not immediately notifying customers of a personal data breach. So if the CEO doesn’t have enough common sense to inform customers of a data breach and doesn’t have a competent legal team to consult with, then she definitely has a Board who does.

The credit union does not own my personal information. I entrusted Stanford Federal Credit Union to keep my money and personal information safe. The credit union CEO does not get to make the decision that my personal information, which fell into the hands of an unauthorized person, has or has not been breached. Stanford Federal Credit Union should let me and its customers decide for ourselves whether our personal information has been compromised. It is our personal information and we are the ones who suffer the consequences when our personal information is compromised. The credit union’s customers should be given the opportunity to act immediately to protect themselves. The CEO who made the decision to delay notification took this opportunity away from us. The ‘internal error’ was not the human error of an individual who accidently emailed the data to an unauthorized non credit union person. The internal error was by the credit union’s CEO who intentionally waited over a month to communicate this data breach to me and 17,999 Stanford Federal Credit Union customers. I will be closing my accounts with this credit union.

Like this comment
Posted by Sandra
a resident of Charleston Gardens
on Aug 26, 2014 at 9:50 am

There could be any mistakes until they don't threaten the security of personal data. I hope it was not a serious problem. [Portion of comment removed due to promoting a website.]

Posted by Name hidden
a resident of Embarcadero Oaks/Leland

on Jun 5, 2017 at 12:40 pm

Due to repeated violations of our Terms of Use, comments from this poster are automatically removed. Why?

Posted by Name hidden
a resident of Gunn High School

on Jun 5, 2017 at 4:42 pm

Due to repeated violations of our Terms of Use, comments from this poster are automatically removed. Why?

Sorry, but further commenting on this topic has been closed.

Be the first to know

Get the latest headlines sent straight to your inbox every day.

Peek inside the fine-dining Selby's, opening in Redwood City this summer
By Elena Kadvany | 6 comments | 4,509 views

If you do nothing else, do These Three Things
By Sherry Listgarten | 16 comments | 1,491 views

Homestead Faire at Hidden Villa 4/27
By Laura Stec | 7 comments | 1,288 views

Premarital and Couples: "You're Not Listening to Me!" may mean "I don't feel heard."
By Chandrama Anderson | 1 comment | 1,183 views

Finding Balance
By Cheryl Bac | 0 comments | 107 views


Vote now!

It's time once again to cast your vote for the best places to eat, drink, shop and spend time in Palo Alto. Voting is open now through May 27. Watch for the results of our 2019 Best Of contest on Friday, July 19.