PenFed had a laptop infected with malware that permitted unauthorized access to a database containing personal data of certain members. The security breach appeared to only affect PenFed members with credit cards. Fatwallet members with Amex and Visa credit cards reported being issued new credit cards with new numbers. Letters to affected members were supposedly sent on January 4th.
New Hampshire is one of the states that require financial institutions to notify the state attorney general of security breaches that affect any of the state's residents.
Here's the PenFed's letter at the New Hampshire state website. It also included a template of the letter that was sent to certain members. Here's an excerpt of this letter:
PenFed discovered on or about December 12, 2010 that a laptop had been infected with malware that permitted unauthorized access to a database containing names, addresses, Social Security numbers, PenFed account numbers, credit card numbers, and/or debit card numbers for PenFed members, joint owners, former members, employees and beneficiaries. The incident affected approximately 514 New Hampshire residents.
Once PenFed discovered the unauthorized code, PenFed took immediate action to eliminate it. PenFed has identified the means by which the information was accessed and has taken appropriate steps to prevent this from recurring.
To date, PenFed has no indication that the personal information of affected individuals involved in this incident has been misused.
PenFed will promptly notify affected individuals of the incident by sending notices via first-class mail on or about Tuesday, January 4, 2011.
As is common when there are breaches like this, PenFed is offering two years of free access to a credit monitoring service.
This is one of the risks of having accounts at multiple banks and credit unions. Each additional account at an institution increases the chance that your personal information could be exposed to criminals.
Also, it's a reason why I don't like giving institutions the social security numbers of my beneficiaries. Sometimes banks or credit unions only require names of the beneficiaries when you want to include them on the payable-on-death list for a deposit account. However, I've experienced some that have required the social security numbers.