A computer error by an employee of Bethpage Federal Credit Union caused some of the personal information of nearly 86,000 members to be viewable on the Internet for a month.
The state's largest credit union by assets Tuesday notified 85,797 account holders -- all its members who have Visa debit cards -- that they were affected. Bethpage has 200,000 members in total.
Bethpage president and chief executive Kirk Kordeleski said no accounts so far have been compromised and no money has been lost.
"We do know that no fraud has occurred," he said, but added, "things could change," based on an ongoing investigation by two security firms retained by Bethpage.
Kordeleski said no business accounts were affected.
The information inadvertently posted by the employee -- who has since resigned -- was on the Internet from May 3 to June 3, Kordeleski said, when the leak was discovered and access eliminated to the file. An employee's child discovered the leak in the course of a Google search of the child's name.
The leaked information included names, addresses, dates of birth, Visa card numbers and expiration dates, as well as members' savings and checking account numbers.
It didn't include Social Security numbers, card PINs or the three-digit security codes on the reverse of the cards.
So, Kordeleski said, making use of the information would be difficult.
But he warned members to beware of "phishing" scammers attempting to solicit further personal information, such as Social Security numbers, in telephone calls or emails.
The notification to members was delayed until Tuesday by the logistics of notifying 86,000 customers and by the investigation, company spokeswoman Katherine Heaviside said. "It wasn't until [Monday] that we were comfortable that actually the data could have been compromised," she said.
The data leak was a first for the fast-growing, Bethpage-based credit union. The cost to Bethpage will likely be $1 million to $2 million, including fees to the security and financial consultants and its communications with members, Kordeleski said. The credit union earned $40 million last year, and has assets of $4.85 billion.
A search of the database of Privacy Rights Clearinghouse, a consumer information and advocacy website, found 29 bank and credit union data incidents from January 2011 to the present. Paul Stephens, Clearinghouse's director of policy and advocacy, said "a handful of credit unions" are hit every year. While the Bethpage leak is large for a credit union, he said, "it's not particularly large as breaches go. There have been many breaches that have affected in excess of a million" people.
Some customers appeared to be cutting the bank some slack. John Eagan, 66, of Smithtown, a longtime Bethpage member, said, "I've seen it [the credit union] change and grow and adapt. I think I know the culture of the organization from the top down, and I trust them implicitly."
The error occurred, Kordeleski said, as the credit union was notifying debit card holders of a switch from Visa to MasterCard. An employee used a file transfer protocol website she believed was secure to send information to a mailing house.
"This was not a hack or a breach of our core system," the credit union said in a notice sent to members, "but an isolated incident."
With Keiko Morris and Carrie Mason-Draffen
Account information of 85,797 Visa debit card holders was inadvertently posted on an unsecured website from May 3 to June 3, including names, addresses, debit card numbers and expiration dates, and savings and checking account numbers.
If you're affected:
Cardholders are protected by Visa if there is misuse of credit card numbers.
Source: Bethpage Federal Credit Union