Area banks replacing plastic after breach

A massive nationwide financial data leak will mean several thousand credit and debit card holders in the Inland Northwest will get notices this week warning them to replace their plastic.

At least four area credit unions and banks say they’ve begun telling credit and debit card holders that their information might have been part of a large security breach reported last week by New Jersey-based Heartland Processing Systems.

Heartland processes about a million credit and debit card transactions for thousands of merchants and businesses nationwide. It also handles card transactions for banks and credit unions that don’t want to manage that process themselves.

Spokane-based Horizon Credit Union is notifying about 3,000 cardholders to replace their credit cards because of the Heartland breach, said company spokeswoman Micole Combs.

Spokane Media Federal Credit Union has contacted 330 cardholders for the same reason, said CEO Debie Keesee. The Spokane-based credit union has more than 1,200 members and a total of 650 credit or debit cards issued.

Other institutions addressing the problem include Bank CDA, in North Idaho, and Wheatland Bank, based in Spokane. The list of area banks and credit unions affected is much larger, Keesee said.

Keesee said nearly every medium-size to large credit union in the region will be affected.

To date, only one Spokane Media credit card has been compromised through the Heartland breach, Keesee confirmed. In that case, the user saw a fraudulent charge of less than $500.

Heartland officials confirmed last week that malicious code inserted on its computers allowed someone to capture credit card numbers and security numbers. The company has not said how many numbers were compromised.

The potential damage could be major: Heartland processes 100 million transactions a month, mostly for small to medium-size businesses.

Spokesman Jason Maloni said the breach should not amount to identity theft as the data taken would not include a cardholder’s Social Security number, address or account PIN.

The first inkling that cards associated with Heartland transactions were involved in fraud dates to October, Keesee said. At that point a spike in card fraud occurred, but it took awhile before transaction and processing companies found the source to be the Heartland breach, she said.

Unlike a breach involving a single merchant, where the retailer risks losing customer confidence, a payment processor facing a massive security breach could lose its contracts with those businesses. Consumers typically don’t have to pay for fraudulent charges on their accounts, whereas merchants can be saddled with big costs when their businesses are the victims of fraud.

Still, credit unions and banks face the cost of replacing each possibly compromised card. Keesee said each replaced card will cost between $10 and $20.

She’s learned the credit union can’t use its fraud insurance to pay for the replaced cards, she added.

“We’ll probably just have to eat that cost,” she said.

And because the credit union doesn’t have a contract with Heartland, the option of suing that big processor doesn’t exist, she added. “Heartland has a contract with the merchant to process payments,” she said.