Home Depot breach costs doubled Target's

Credit unions spent $60 million following the data security breach at Home Depot in September -- twice as much as the recent Target data breach, according to a survey published Thursday.

Credit unions and banks had to reissue consumer cards that were breached, with current laws stipulating that they're responsible to pick up the costs.

ADVERTISEMENT
The Home Depot data breach impacted 7.2 million consumer cards at credit unions, according to the survey, released by the Credit Union National Association (CUNA).

On average, it costs $8.02 to reissue a consumer card, according to the survey.

Last year's Target data breach cost credit unions $30 million, according to CUNA.

But credit union officials say the risk to reputations following a data breach is even more burdensome.

“The bottom line is that credit union members end up paying the costs – despite the fact that the credit unions they own had nothing to do with causing the breach in the first place," said CUNA President and CEO Jim Nussle.

Consumers often are notified by their bank or credit union that they need to have their cards reissued following a breach at a retailer, which bankers say puts them at a disadvantage with consumers who might blame them and not the retailer.

The retail industry pressed back against the credit unions’ criticisms.

In a letter to CUNA and the National Association of Federal Credit Unions (NAFCU) sent later Thursday, leaders of the top retail industry groups said that retailers do have to shoulder some of the costs from data breaches.

"Even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches," they wrote in a letter signed by the Retail Industry Leaders Association (RILA) and the National Retail Federation (NRF).

Other groups signing the letter included the Food Marketing Institute, the National Association of Convenience Stores, the National Grocers Association, and the Merchant Advisory Group. 

The retailers noted that many in the financial services industry have formed a partnership, led by RILA and the Financial Services Roundtable, to establish a private-public partnership with businesses to share data threat information.

"Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions," they wrote in the letter. "It is past time we started working together for the greater good of America’s consumers."

Other top retailers and financial firms — including Nieman Marcus and JP MorganChase — have also reported major data security breaches.

President Obama and the administration have called for more stringent security technology to be used in credit and consumer cards. The financial services industry has also been working closely with the administration to encourage threat information sharing to protect consumers.

However, Congress has been slow to take up cyber security legislation. Most Republicans and Democrats support implementing a national data notification standard that would require retailers to notify consumers when their information had been breached.

Republicans want a standard that would allow for the industry to evolve with rapidly changing consumer technology. Democrats want a more stringent standard that they say would better protect consumers from the patchwork of lenient standards in the states.

This story was updated at 4:14 p.m.