The data security breach at Home Depot stores in September cost credit unions nearly $60 million to reissue cards, deal with fraud, and cover other costs, according to the results of a new survey of credit unions released last week by the Credit Union National Association (CUNA).
The survey, which asked credit unions to report the effects of the Home Depot breach first announced Sept. 18, found that 7.2 million credit union debit and credit cards were affected by the breach. The results also show that the cost of the violation per card issued by credit unions was $8.02, which included costs for reissuing new cards, fraud and all other costs, such as additional staffing, member notification, and account monitoring.
Conducted from Oct. 1 to Oct. 24, the CUNA survey is the second this year by the nation’s largest trade group for credit unions to gauge the impact of data breaches on credit unions. In January, CUNA conducted a similar survey in the wake of a data breach at Target stores in December. That survey found that the Target breach cost credit unions nearly $30 million. The Home Depot breach costs—at $57.4 million nearly twice as much as the Target breach—affected more credit union debit and credit cards, and the cost per affected card was considerably higher in the case of the Home Depot breach.
The most recent CUNA survey also found that credit unions haven’t been reimbursed for the costs they incurred as a result of the Target breach.
“The cost to credit unions of data breaches—which seem to be occurring with increasing regularity—is rising, as the CUNA surveys clearly demonstrate,” said CUNA President and CEO Jim Nussle in a press release about the survey. “The bottom line is that credit union members end up paying the costs, despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.”
Nussle added that all participants in the payment process have a responsibility to protect consumer data.
“However, the law and the incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable,” he said. “Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others.”