Shostack + Friends Blog Archive


No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach.
As we’ve commented on previously, information concerning the size of this breach, and notifications to its victims, have been slow in coming.
Today’s American Banker continues the story [link to no longer works], showing how the openness of the Alabama Credit Union, in conjunction with the silence of others involved, has led to the false impressions about ACU’s security:

Alabama Credit Union’s policy is to err on the side of disclosure – and following that policy after the recent breach at Sam’s Club brought unwelcome consequences.
Executives say they have not wavered in their conviction, but attention the credit union got in the local press after sending notification letters to everyone potentially affected, and other issuers’ refusal to do so, left them frustrated.
“I find it strange that you haven’t heard from anyone else,” said Steve Swafford, the president of the $220 million-asset credit union, which is based in Tuscaloosa. “This information should become public quickly, so that people can act. That is consumer-spirited.

(emphasis added)
Indeed, because rumors swirl in an information vacuum, the credit union has chosen to publicly release information about what it learned, when it learned it, and (quite tellingly) information concerning the number of accounts put in jeopardy at another institution.
There’s a new equilibrium being established here, and this skirmish is happening where old meets new.