WASHINGTON–Three confirmed data breaches last week at several well-known companies have prompted NAFCU to send a letter to Congress to again stress the “urgent need” for a national data security standard.
Among the companies confirming their systems had been breached last week were:
- Robinhood, which said approximately 2,000 of its brokerage accounts had been compromised, with the attacker able to take over users; trades and funds. The attack is considered particularly severe because the attackers stole access to brokerage accounts of clients who claim they had set up two-factor authentication. In addition, many users complained that hackers liquidated their investments and withdrew balances to online payment apps.
- Dickey’s Barbecue Pit, which operates 469 locations nationally. The company is saying as many as three-million payments cards may be affected with the card data currently for sale online.
- Barnes & Noble, which acknowledged its systems had been the target of a cyberattack. Some customers had complained they were unable to access their Nook libraries and their previous purchases had vanished into thin air. Others were not able to log in to the firm's online platform, and connectivity issues between sending or loading new books ran rampant, according to numerous reports.
Customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories may have been exposed during the breach, the company said in an email. It said no financial data had been compromised.
NAFCU Letter
In a letter to congressional leadership, NAFCU said there is an “urgent need for a national data security standard for entities that collect and store consumers’ personal and financial information that are not already subject to the same stringent requirements as depository institutions.”
Citing the three incidents noted above, NAFCU’s Brad Thaler said “These breaches are just another reminder that it is time for Congress to act to prevent future breaches and harm to consumers. We would urge your continued focus on this important topic and the need for addressing consumer data security issues in the remaining days of this Congress and in the new Congress.”
Thaler, NAFCU’s VP-legislative affairs, told congress that “unfortunately” fintech such as Robinhood are not held to the same data security expectations as “depository institutions, which have faced rigorous cybersecurity exams for years under the Gramm-Leach-Bliley Act (GLBA). Even more troubling, the U.S. Securities and Exchange Commission (SEC) issued an advisory last month which warned against precisely the sort of authentication weaknesses that may have played a role in the reported Robinhood breach. Given that Robinhood has suffered high profile breaches in the past, it may be that the SEC’s regulatory toolkit needs updating. In this context, it may be appropriate forCongress to ask why the agency has so far declined to extend the scope of its Systems Complianceand Integrity.”
Financial Liability
Thaler’s letter added, “NAFCU believes that negligent entities should be held financially liable for any losses that occurred due to breaches on their end so that consumers are not left holding the bag.When a breach occurs, depository institutions should be made aware of the breach as soon as practicable so they can proactively monitor affected accounts. Finally, any new rules or regulations toimplement these recommendations should recognize credit unions' compliance with GLBA and not place any new burdens on them.”
The letter concludes by listing NAFCU’s Principles on Data Security.