It's been less than two months since Home Depot first admitted (on Sept. 2) that it was “looking into some unusual activity” which everyone now knows was the largest retailer data theft to date, with at least 56 million debit and credit card numbers stolen. Home Depot formally admitted the breach on Sept. 18.
At the time, the Credit Union National Association (CUNA) urged its member credit unions to take part in a survey assessing the damages caused by the breach, including:
• Number of debit and credit cards affected;
• Costs incurred for card reissuance;
• Costs related to additional staffing, member notification, account monitoring, etc.;
• Changes in call volume;
• Changes in staffing; and
• Any specifically identifiable fraud-related losses.
By the end of September, two credit unions in Pennsylvania and New York had already filed federal lawsuits against Home Depot, seeking class action status on behalf of all financial institutions similarly affected by the breach.
And the financial fallout continues to be felt. Today CUNA released the results of its member survey and announced that Home Depot's security breach has cost U.S. credit unions nearly $60 million so far.
Still costs money
From the perspective of credit unions and other card issuers, one major problem with stolen credit card and similar account numbers is that even in a best-case scenario, where the theft is discovered and cards cancelled before the thief can make any fraudulent purchases with them, it still costs money just to issue new cards and set up new accounts. And of course, the Home Depot security breach was far from a best-case scenario for the credit unions and banks.
CUNA said that, according to a survey of member credit unions, 7.2 million of their debit and credit cards were affected, and had to be re-issued. The average cost per card was $8.02, which includes re-issuing the card itself, paying for fraudulent charges, and paying additional staff costs for account monitoring, member notification and similar costs.
CUNA economist Bill Hampel said that fraud accounted for 60% of the total cost, averaging $4.89 per card. But that means that even had this been a best-case security breach, with all 7.2 million of those cards cancelled before being put to any fraudulent use, it still would've cost roughly $3.13 to re-issue each card, and pay staff to notify members and monitor accounts to ensure no fraudulent activity; the best-case scenario still would've cost credit unions over $22.5 million.
How much of that cost is likely to be borne by Home Depot? Despite the pending lawsuits, chances are the credit unions and their members will be stuck with the bulk of it.
CUNA president and CEO Jim Nussle said “The cost to credit unions of data breaches — which seem to be occurring with increasing regularity — is rising, as the CUNA surveys clearly demonstrate …. The bottom line is that credit union members end up paying the costs — despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.”