About Ken Tumin

Ken Tumin founded the Bank Deals Blog in 2005 and has been passionately covering the best deposit deals ever since. He is frequently referenced by The New York Times, The Wall Street Journal, and other publications as a top expert, but he is first and foremost a fellow deal seeker and member of the wonderful community of savers that frequents DepositAccounts.

Featured Savings Rates

Popular Posts

Featured Accounts

Malware on Laptop Caused Security Breach at PenFed


Malware on Laptop Caused Security Breach at PenFed

PenFed had a laptop infected with malware that permitted unauthorized access to a database containing personal data of certain members. The security breach appeared to only affect PenFed members with credit cards. Fatwallet members with Amex and Visa credit cards reported being issued new credit cards with new numbers. Letters to affected members were supposedly sent on January 4th.

New Hampshire is one of the states that require financial institutions to notify the state attorney general of security breaches that affect any of the state's residents.

Here's the PenFed's letter at the New Hampshire state website. It also included a template of the letter that was sent to certain members. Here's an excerpt of this letter:

PenFed discovered on or about December 12, 2010 that a laptop had been infected with malware that permitted unauthorized access to a database containing names, addresses, Social Security numbers, PenFed account numbers, credit card numbers, and/or debit card numbers for PenFed members, joint owners, former members, employees and beneficiaries. The incident affected approximately 514 New Hampshire residents.

Once PenFed discovered the unauthorized code, PenFed took immediate action to eliminate it. PenFed has identified the means by which the information was accessed and has taken appropriate steps to prevent this from recurring.

To date, PenFed has no indication that the personal information of affected individuals involved in this incident has been misused.

PenFed will promptly notify affected individuals of the incident by sending notices via first-class mail on or about Tuesday, January 4, 2011.

As is common when there are breaches like this, PenFed is offering two years of free access to a credit monitoring service.

This is one of the risks of having accounts at multiple banks and credit unions. Each additional account at an institution increases the chance that your personal information could be exposed to criminals.

Also, it's a reason why I don't like giving institutions the social security numbers of my beneficiaries. Sometimes banks or credit unions only require names of the beneficiaries when you want to include them on the payable-on-death list for a deposit account. However, I've experienced some that have required the social security numbers.

Related Posts

rjm   |     |   Comment #1
I noticed and then got the letter about the incident. They are sending me a new visa so they say. But, Im nowhere near NH so it cant just be those people.
numberten   |     |   Comment #2
I am one of the affected card holder as well. I am promised my new Visa Card by end of January. I was told to just use my current card till I get a new one.
will   |     |   Comment #3
When I received PenFed's letter, my reaction was--and still is--that the letter, and that of the attorneys to the officials in New Hampshire contains precious few details of the facts surrounding this incident.  I had no idea whose "laptop" was involved--I.e.,: Was the laptop owner or user an employee: Ex-employee? A consultant or contractor or a government of NCUA employee? Was some form of "hacking" involved?  Is something being done re this incident with regard to the owner/user of the computer having the malware on the computer in the first place? Will there be more information released re this incident to those whose social security number and other data accessed? The statements provided in this case read as if a computer simply does what it does independently of an owner, operator, etc.. I appreciate the fact that some relevant information should be protected from release because that might affect some aspects of an onging investigation, however, I'm asking myself if I really want to continue my present relationship with PenFed if PenFed is providing so little information to those now subject to a security breach potentially permitting theft of their ID, something serious enough that's resulted in PenFed's arrangement for some "damage control" in the form of providing account monitoring, etc.. Q.: Does anyone else believe someone in this positition is entitled to have a clearer picture of what is involved here?
Central Ohio
Central Ohio   |     |   Comment #4
The article is relatively but not completely correct. I personally have accounts at PFCU AND a PFCU VISA Card. There was no impact on my card. I received a routine new card this month due to expiration of the old card and the number is the same. No letter no credit tracking, etc. IMO this only impacted some BUT not all PFCU Account holders.
tommyvjr   |     |   Comment #5
you are right about giving out full social security numbers of beneficiares, why not just the LAST 4 NUMBERS.....
Rosedala   |     |   Comment #6
I agree completely with Will #3!  I didn't use their credit card, but the same as all others, my social security number may be compromised and I'm terribly worried as my entire IRAs are there....I'm writing them with Will's questions and will let you know if I get an answer but...don't expect it any time soon.  :(
Rosedala   |     |   Comment #7
Sorry forgot to tell you that I hven't received such letter from them.
moneysaver   |     |   Comment #8
Has anyone seen ANY mention of this on the PFCU web site? I sure haven't.

I did notice in the past few weeks, when looking at their online banking, that first one and then both of my credit cards with them were showing up in online banking as having been issued new cards/numbers -- even though I hadn't/haven't received those in the mail as yet... I just thought it was a routine deal, until I read the news today about the security breach.

I''ve been on the PFCU online banking a lot lately, because of setting up some new CDs...and I haven't seen any notice on the web site, or even any kind of bank mail message on this...  I think that's very BAD that they've decided to handle it that way...

Also, I'd caution the folks reading here to be careful about seeing the reference in the New Hampshire AG letter to 514 NH residents (with PFCU cards) having been affected. That's just a disclosure only for NH because of a particular state law there. That doesn't mean only 514 people were impacted total. That means 514 in NH only...

I'm assuming the nationwide number of PFCU members with VISA and/or AMEX cards (where the information was compromised) is going to be hugely larger.



moneysaver   |     |   Comment #9
By the way, the lag time from the Dec. 12 discovery to the Jan. 4 mailing of notice letters (which won't be received by members until some days later, means basically a MONTH passed between the time PFCU learned of the breach and the date their members would have received PFCU's notification.

As someone who used to work in government and death with public disclosure of IS breaches in my own agency, I'd consider that kind of delay to be UNACCEPTABLE...particularly when PFCU had other more rapid means available than postal mail to notify members who's information may have been compromised...

The original breach is bad enough, but the apparent handling of the aftermath of it is equally disturbing... I'm going to be asking PFCU for some answers about this...as one of its members.

Anonymous   |     |   Comment #10
A security breach of this kind, especially concerning credit card holders' information is not unique to PenFed.  There have been several such breaches at various banks across the country in the last few years.  I was notified by my local bank two years ago about the same sort of security breach.  That bank instituted the very same follow up measures as PenFed is taking now.  I suffered no ill consequences.
pearlbrown   |     |   Comment #11
The letter to the AG was worded carefully, however the breach compromised not only those with credit and debit cards, but every accountholder.  Once a database is breached it should be assumed that all fields become fair game.    I always activate any and all account activity alerts available to me at any financial institution as a precaution.   

Rosedala, as far as IRA accounts, there is normally additional paperwork involved in closing accounts or taking withdrawals but I don't know if such accounts can be breached nonetheless with bank-to-bank transfers.
Anonymous   |     |   Comment #12
Okay. I’m a bit confused (so what’s new?).  My spouse and I have separate accounts at PenFed (she could join because I was a member).  Our PenFed Visa is in my name, but she got the letter and the two years free credit monitoring!


When I called, I was told that it didn’t really matter who got the monitoring.

For what it’s worth, decades ago I when I was in the USAF, I worked at the Pentagon, the real one, not the credit union.  However, I can definitely see the relationship.

Oh, I was also told that our new cards (in my name) will be mailed out on the 13th.  The 13th, huh!  Yeah, lots of luck with that
Sandra   |     |   Comment #13
What interests me is that this problem affects (emphasis added by me) "...PenFed members, joint owners, former members, employees and beneficiaries...". So, even if you have a closed out an old account at PFCU, your personal info is still at risk. I wonder if this is also true at other banks and CUs? Is there then any point in closing out an old account?
Anonymous   |     |   Comment #14
Sure, there is a point to closing an old account. Namely, that you won't get dinged with whatever random inactivity or "maintenance" fees the institution might decide to start charging in the future.
Anonymous   |     |   Comment #15
Unless PenFed has determined who actually accessed the information and why, I suggest it would be equally proper and forthcoming for PenFed to also state:

‘Sadly, until we can prove otherwise, there is also no indication the personal information of affected individuals involved in this incident will NOT be misused.'
Rosedala   |     |   Comment #16
Rosedala, as far as IRA accounts, there is normally additional paperwork involved in closing accounts or taking withdrawals but I don't know if such accounts can be breached nonetheless with bank-to-bank transfers.

Thanks Pearlbrown, but I don’t know just how the criminal(s) will use the power now.  Besides, if they find it awkward to withdraw funds, then they’ve got our SS to play with... Though I ask myself, what can the CU do in a case like this?  It seems we are all doomed...  :(

Anonymous   |     |   Comment #17
Are you kidding me?  I got the email about getting a new VISA account number and the security breach.  If only 514 NH residents were impacted, why are they doing a wholesale mass account number change of their system?  The letter said that SSNs, Names, Addresses, and account numbers may have been compromised.  PINs and passwords were not.  Well, PINs, passwords, account numbers are disposable.  SSN, Addresses (unless you move) and Names (unless you have it legally changed) are not.
Anonymous   |     |   Comment #18
I received the letter stating I was one of the members affected by this security breach. My letter does not say anything about joint account holders. As noted the letter to the New Hampshire Attorney General does. I called PenFed to inquire about my husbands personal information. The CSR assured me  that if he had been affected he would receive a separate letter. So far he has not. The CSR said she was affected by the breach and her husband and son also received separate letters. I could tell the CSR was quite concerned about this whole mess too. As #16 said, "we are all doomed" because there is no way to completely protect yourself from the possible misuse of your personal information. I wish SS would issue new numbers in these cases. We need more and better ways to protect ourselves.
D   |     |   Comment #19
Thank you for posting the letter from PenFed lawyers to the Attorney General of New Hampshire.  There are significant differences in that letter and the one I received from PenFed.

First, I was informed in my letter that information that MAY HAVE BEEN accessed included  my name, address, Social Security number, credit card number and/or debit card number.  The letter to the AG of NH included all of those items plus Pen Fed account numbers among the possibly accessed information. My letter did not mention PenFed account numbers. 

Second, the letter to the AG stated that information accessed COULD include not only member information but also information on joint owners, family members, employees, and beneficiaries.  My letter mentioned that my information may have been accessed, but did not mention any of the other categories of people, although several of my Pen Fed accounts have beneficiaries.

When I first read my letter, I remember being relieved that my PenFed account numbers were not among the info that may have been accessed, but now I'm not so sure that is the case. 

After reading the letter to the AG, I'm left to wonder if my very generic letter may have been incorrect in omitting PenFed account numbers as a type of information that MAY HAVE been obtained from PenFed's computer system.  Am I to assume from my letter that all my personal information (name, address, SS#) and my credit card could have been accessed but that my PenFed account numbers were not accessed? Both my credit card and bank account numbers are accessible to me online, and both seem to be accessible on the computers of customer reps when I call them.  How is it that malware may have accessed credit card numbers and/or PenFed account numbers of some members in New Hampshire, but in my case, a resident of another state, malware  may have accessed my credit card number but did not access my PenFed account numbers?

Also, the letter to the AG of NH mentioned that the information was accessed from a laptop infected with malware.  My letter did not mention malware.  It simply said that some PenFed members' sensitive information was "accessed and/or obtained from our computer system without authorization.”

I, like other PenFed members above, would like more of an explanation of what happened.

I will call the PenFed 800 number but doubt I’ll get satisfactory answers to my questions or be put through to the computer security experts who might know the answers.
Anonymous   |     |   Comment #20
Not all account holders with credit cards were affected so it was not a wholesale breach. If you have not received a letter you are safe in regard to this incident. Per PenFed CSR 13 Jan 2011 1930 hours EST.
moneysaver   |     |   Comment #21
I spoke at length with a CSR and then a supervisor about this the other evening.... Here are a couple things to clarify:

--the New Hampshire letter and reference to 514 customers only refers to the number of affected customers in that state, which they had to disclose under that state's law. There hasn't been any info disclosed that I've seen that says how many TOTAL customers were affected.

--The NH AG letter does say PenFed account numbers were compromised, the PenFed letter doesn't mention that. In talking to the PedFed supervisor, he insisted that PedFed account numbers and online IDs and passwords were not part of the compromised info.

--the PenFed supervisor said PenFed ATM card numbers were not accessed, only various credit card numbers. So for that reason, they are not re-issuing the debit cards, only the credit cards.

--In response to my questions and complaining, the PedFed supervisor claimed that they notified affected members in some fashion via a Dec. 23 email. (PenFed doesn't have its own internal bank messaging system like some/many other banks). As far as I can tell, I never received any such email, even though I'm one of their affected customers.

--Re the prior credit card numbers that are being replaced because of the data breach, the PenFed supervisor said users can continue to use their prior cards until the end of January. If a user receives and activates their new card/cards sooner, the old card number will be deactivated once the new card is activated.

I pointed out that would allow someone who might have illegally received those card numbers to start ringing up fraudulent charges between now and the end of the month. The PenFed supervisor said they understood that, but that they didn't want to suddenly freeze the cards of members who might rely on them and not yet have received their replacement cards.

--I was particularly curious just how the info was illegally accessed. Under some questioning, the supervisor claimed the data was breached in a manner that would allow it to be SEEN by unauthorized parties. He insisted that it wasn't a situation where the entire database file of the information involved was somehow stolen or copied by an outside party.

I posed the question above, did anyone get any notice of this from PenFed prior to reading about it here via Ken's web site... So far, none of the comments above have answered that question... I'd really like to know if anyone received the Dec. 23 email that the PenFed supervisor was claiming they sent out.

Anonymous   |     |   Comment #22
Probably have to depend on WikiLeak to find out what really happened and who was affected. This lack of transparency on the part of PenFed is surprising based on their previous fine service.
Rosedala   |     |   Comment #23
Hi again, I emailed Penfed's CEO & Pres. Frank Pollack; Chm. Jim Quinn and Pamela Pealer (I believe manager?), and their attorneys and a Penfed's Mr. Richards, questioning them several things, including their inadequate method or handling this tragic situation quoting Anonymous #3 comment and urging them to answer.....

......In answer, Penfed slapped me with their form letter (I never received any letter from them before!):

<<Thank you for contacting Pentagon Federal Credit Union.

<<You may have received a recent email pertaining to your credit card. As a
precautionary measure, PenFed is taking steps to protect our members against any
potential fraud exposure. A separate letter with additional information has been
mailed, which you should be receiving shortly.

<<At this time, we are not aware of any account misuse, and no PINs or passwords
were compromised. As with any unauthorized transaction on a PenFed account, the
credit union will not hold you responsible for any losses. We are investigating
the matter, but with an overabundance of caution some new credit cards are being
issued as a precautionary measure against any potential fraud exposure.

<<We apologize for any inconvenience this may cause you. We appreciate your
business and the trust you’ve placed in us.

<<If you need further assistance, please contact us.


<<Brad Bradford
<<Pentagon Federal Credit Union>>

Thought some here would like to see how their letter compares.   Rosedala


Anonymous   |     |   Comment #24
My wife and I share a joint credit card.  I also have a seperate one only in my name.  She is the primary account holder on our joint card.  She received an email that our joint card will be re-issued in late December.  I did not recieve an email pertaining to my indiviual card, so I assumed that the email went out to just individual owners.  When she got the letter via USPS offering the monitoring service in early January, I did not and so I called PenFed.  I asked if my information was compromised since she got an email and I did not.  The CSR indicated that they didn't intially know that joint account holder information was compromised but did at some point and I would be receiving a letter.  I got one the next day.

We have yet to receive replacement cards and my individual card has not been involved in the incident thus far.  As a software engineer/enterprise database implementation consultant I am suprised by this.  I am curious as to what database it actually was.  I asked the CSR if the database that was compromised was a network connected one on the laptop or a local version, and she wouldn't help me find the answer.  I too echo the issues with how PenFed is handling the communication to members.  They've been my primary instution for 15 years but this, coupled with poor service/respect issues during mortgage process and growing customer service issues when I call in is pushing me towards other offerings that are available.
Anonymous   |     |   Comment #25
In answer to post #21, I did not receive an e-mail notification about the illegal access of PenFed's system.  Did anyone get such an e-mail?

I would have appreciated learning sooner that my personal info had been improperly accessed.  I did not receive my letter until last week.  There was no date on the letter and no postmark.  PenFed discovered the security breach "on or about Dec. 12," according to their letter to the NH Attorney General.

I am more than annoyed to have received a letter notifying me that I would receive a new credit card  many days before I received the letter informing me that my personal information had been improperly accessed.  

If PenFed did not send an e-mail (a speedier form of communication) in addition to the letter, I think PenFed is remiss.  Two of us bloggers did not receive an e-mail, and no one has yet mentioned receiving one.

Sending both an e-mail and a letter would also be a precaution against the possibility of mail not being delivered. 
Anonymous   |     |   Comment #26
Correction to my post #25.  Two people (one plus me) noted that they did not receive an e-mail and one person (post #17) did receive an e-mail.

Poster #17, would you tell us what exactly what your e-mail said?  Did you receive a letter as well?
D   |     |   Comment #27
PenFed needs to be more transparent about the nature of the unauthorized computer access and the  malware used.

Will #3, I strongly agree with you that those of us who had our personal information accessed are entitled to know exactly how it was accessed.

Anon #24, Rosedala #23, and Moneysaver #21, thanks for your attempts to find out what happened. 

I wish I could believe the explanation a supervisor gave to Moneysaver:  the supervisor "claimed that the data was breached in a manner that would allow it to be SEEN by unauthorized parties. He insisted that it wasn't a situation where the entire database file of the information involved was somehow stolen or copied by an outside party." 

But until I see a detailed written explanation of what happened from PenFed, I will not be satisfied and will feel uneasy about continuing a banking relationship with them.

I think that those of us whose personal information was compromised should continue to demand that PenFed be forthcoming with more detailed information.  

Rosedala, where did you find the e-mail addresses of the CEO and the other PenFed officials whom you e-mailed?  It will take a lot of e-mails and letters to make them realize that to retain the trust of their customers, they need to be more tranparent about problems that have the potential to be damaging to their customers. 
moneysaver   |     |   Comment #28
Thanks to those above who responded to my question about whether they had received any email communication from PedFed about the data breach... I'm in my email every day, all day..all the time... And anything from PenFed would go straight into my inbox... I'm 99% sure I didn't get any such email from them.

When I broached that subject with the supervisor, he seemed to take offense that I was questioning him why it had to be almost a month -- Dec. 12 until the first week of Jan. -- before most of us learned our SSNs and various other personal data had been compromised. He response was to argue that a month after the fact actually is a very speedy response. Needless to say, I told him I didn't agree about that.

As someone who worked in (non-banking) government in the past and actually dealt with client notifications for these kinds of matters from time to time, I do understand it takes the institution some time to get a handle on these things. That includes conducting a forensic inquire to try to determine just what happened, where the info went and who may have gotten it.

But, understanding that, I still don't see any reason PedFed had to apparently wait until after they had completed their investigation in order to send out the mailed notices in early January. And I equally don't understand why, given that they have customers' email addresses, that they couldn't have sent out a bank email ahead of the postal mail advising there had been a breach.

Before this episode, I've had no reason to think PFCU wasn't a better than average and well run credit union. And I'm not faulting them greatly for the actual data breach itself, since these things do happen everywhere from time to time... It's just a matter of human nature and mistakes...

However, I AM faulting them substantially for the delays in their communications with their account holders and for failing to make those notifications in a more timely way than U.S. postal mail.

Anonymous   |     |   Comment #29
Hi All, re my post #23, sorry I didn't clarify that what they sent me (only after I emailed them) was an email letter and not a regular mail letter.  :)       Rosedala
Anonymous   |     |   Comment #30
Chairman Quinn can be contacted by e-mail at PFCUBDChairman@penfed.org
Anonymous   |     |   Comment #31
I was affected by this breach also. I recieved PenFed's letter stating that they were sending a new credit card. Friday Jan. 14, I recieved my new  card. I also signed up for the "free" two year credit monitoring service.  Please note that this is not an automatic service. You either have to fill out the paperwork forms and mail them in, or you can do it online as well. I did it online. If you "Do Nothing" then you "WILL NOT" get this free service.  I was very happy with the  customer service I recieved from PenFed on a different matter but still related to the issuing of a new card .
Anonymous   |     |   Comment #32
You do have the choice to sign up for the two-year credit monitoring service by mail or on-line.  But note that if you sign up by mail, that you will not be able to sign up on-line later to use the services on-line. 
PFCU member
PFCU member   |     |   Comment #33
I received my new debit cards yesterday, BUT one was issued for my wife who deceased in 2003.  PFCU knew this since accounts were changed in 2003 and they have a copy of the death certificate.  They claimed she was on the debit card account which I opened in 2010.  I told them that was rather unlikely.  Anyway, they had to cancel my new debit cards and send another set of new ones.  An incorrect name connot be simply removed even if it is PFCU's error.  So what's the problem?  It would seem that PFCU is knocking itself out protecting PFCU from liability but has forgotten to protect its customers.  BTW, my credit card has been frozen several times when I traveled even though I notified PFCU in advance.  Not too reassuring. 

P.S.  I would think if someone can read data on a screen (e.g., my SSN etc.), they can copy it.
rjm   |     |   Comment #34
Got my new card friday.

At least I get a free redbox freebies. (Their promos are often 1 per credit card)

DVDATWAG, BREAKROOM & DVDONME always work. The first one at walgreens only.

As for an email notice. I got an emal dated 12/23...

Important Notice about Your Account Ending in XXXX


We are writing to inform you that a new credit card is being mailed to you as a precautionary measure against any potential fraud exposure. A separate letter with additional information will be mailed to you, which you will receive shortly.  

When you receive your new card, please activate it as soon as you receive it, but not later than January 31, 2011. After activation or January 31st, whichever occurs first, you will no longer be able to use your old credit card. Charges that are made to the old card prior to activation of the new card will be transferred to the new card automatically.

Remember, should you have any automatic payments charged to your old credit card you need to notify those companies of your new card number and expiration date.

As always, PenFed assumes all responsibility for all unauthorized charges to your account.

Should you have any questions, please call PenFed at 1.800.247.5626.  

Thank you for your continued trust and confidence in PenFed's service.

Very truly yours,
Roderick B. Mitchell
Executive Vice President
Anonymous   |     |   Comment #35
No idea if I trust them or not, but.......

I never received an email or a snail mail letter so I called to see what was up.  The CSR told me that my info was NOT part of the security breach.  She said that those who were affected should see a notice when they log into their accounts and those who do not see a notice were not affected.  I hope none of us ever find out that our data was actually stolen.  In this kind of thing, no news over the next couple of years is good news.  Good luck to everyone!
PFCU Member
PFCU Member   |     |   Comment #36
Nice move PFCU.  I sent an email to PFCU corporate and I must admit their quick and capable response surprised me.  They accepted that an error had been made with regard to my debit card reissue and FedExed me a new card overnight.  I was running out of cash so it really helped.  If PFCU will bend this far I must continue to rely on them for my future banking needs.  Thanks PFCU.
Anonymous   |     |   Comment #38
I have got to say I could care less about the credit card numbers being compromised- that is their loss if it is misused, not mine.  What I AM **VERY** concerned about is the loss of my SSN.  Are they THAT lax with security that the most critical of my information was compromised?  I smell a class action here.

moneysaver   |     |   Comment #39
I too signed up for the two years of credit monitoring service that PFCU offered to those who's personal info had been compromised by their info security leak. A couple of months thus far, and nothing to report...no problems... Keeping the fingers crossed.
Anonymous   |     |   Comment #40