By Roy Urrico
The identity theft threat for credit unions and other organizations is evident from recent reports. Such as the Identity Theft Resource Center tracking 2,116 data compromises in the first three quarters of 2023, with 110 million victims in the third quarter alone; and in November 2023, some 60 U.S. credit unions reportedly experiencing outages due to ransomware attacks on a cloud IT provider.
Temecula, Calif.-based IDIQ, which delivers real-time alerts and credit report information, partners at the enterprise level with credit unions and other organizations. This collaborative effort is designed to proactively reduce fraud risk, mitigate the effects of cyberattacks when they take place, and assist with next steps to minimize the potential risks for organizations and account holders.
“We partner with businesses and go direct to consumer and provide tools and services to help people identify that they have been the victim,” Patrick Glennon, chief technology officer at IDIQ, told Finopotamus. He explained IDIQ monitors dark websites and credit usage when personal data becomes exposed or exfiltrated.
One of the key ways to recognize if somebody has had their identity or information stolen is if the unsuspecting victim’s name suddenly starts appearing on various financial activities, Glennon noted. He described how IDIQ looks for suspicious interactions involving tax fraud, opening lines of credit, initiating a credit card account or purchase. “Those are the kinds of things we do.”
Glennon said most financial institutions’ fraud departments do a “decent job” of catching threats from a penetration standpoint. “What we do that is a little different. We want to alert our member base when data breaches occur.”
IDIQ also scans the dark web. “We look for credentials, credit card numbers, driver's license numbers, Social Security numbers, things like that,” said Glennon who noted IDIQ also monitors the National Change of Address (NCOA) list, which is operated by the United States Postal Service.
How IDIQ Works
“We typically sell through partners and employers. The credit union channels are a little bit new for us but we are making some good inroads,” explained Glennon. “There is a good match for the kind of thing we provide, especially in a case where somebody has had a breach. It is a pretty valuable service to be able to offer.”
IDIQ offers flexible partnering opportunities. “With credit unions we tend to directly communicate with the credit unions. In the employee benefits space, we do go through some marketplaces and some brokers,” said Glennon.
Glennon walked through a typical scenario a credit union might face. “Once we get through the contractual side of things with the credit union, they tend to start with their employees as a test and see how things are going. They will give us some bulk enrollment details; then we will use that to create accounts in our system.”
Credit unions present IDIQ as an add-on service to its membership and IDIQ only receives a file of members agreeing to the service. “We only get the ones who have opted in; we do not get a complete dump. We just want the people who want the service,” said Glennon.
Monitoring for Data Exposures
Glennon addressed the somewhat contradictory nature of protecting IDs, while also maintaining members’ privacy.
“We try to educate people and let them know it is a choice. It is a tricky one. We can provide information on how we are securing those credentials,” he said. “We would be lying if we said it was not a risk to provide those credentials out there (in cyberspace). That is really the only way we can see if (one’s identity) been exposed.”
Glennon further explained the initial monitoring starts with searches of email address and usually a member’s Social Security number. “We do not always get Social Security numbers. Some people do not want to give it out understandably. But the more information that we have to monitor, the better.”
Glennon noted, “You will typically find almost everybody who had a Yahoo account will show up on a data breach alert at some point or another, because they had a pretty big hit,” said Glennon. He referred to a series of data breaches over a multi-year period that Yahoo confirmed in 2017 that exposed its three billion user accounts.
“So, things like that we'll get a hit on,” stated Glennon. “Then, we will walk you through some (deterrence) steps and just basically make sure you are changing your passwords. If someone gets compromised, we have a credit recovery specialist that will handhold the member through the process of working to clean up their credit, and to challenge the line items showing up in the report to get their accounts cleaned up.”
Keeping Up on Trends
The other part of monitoring focuses on possible fallout from recent cybersecurity incidents, such as those 60 credit unions hit by the November 2023 ransomware attacks.
“There is every reason to believe that data was pulled off of those systems and put somewhere else,” said Glennon. That information could include account numbers, personal identifiable information (PII), and email addresses. “It would be foolish to think (fraudsters) didn't take that data and stick it somewhere to sell or have somebody utilize it.”
He added, “What we are really doing is monitoring those events and putting a bunch of tools in your hands to recognize as quickly as you can that your information is being used. There are very few members that sign up and do not immediately get a hit of the last five years of some account that it is not really relevant anymore because it is not in use anymore.”
Knowingly or not, the information is out there. “It is a matter of whether or not somebody has gotten a hold of it and started to actively try to do something with it. And that is really what we are doing,” said Glennon.
Glennon suggested, “Even if there's not an explicit financial loss,” there may be some legal danger for credit unions. For example, the $1.35 billion Ventura County Credit Union, which supports over 75,000 members, was hit with two class-action lawsuits over the 2022 theft of data. According to the civil complaints, the credit union’s online systems underwent a two-month ransomware attack and data breach. The breach, according to the lawsuit, compromised customers’ and employees’ names, Social Security numbers and financial accounts information.
Glennon emphasized IDIQ is not about preventing the data from getting out there. “Data breaches are happening all the time. The sophistication is growing and the tools are growing that are making the cost of entry into (fraud) easier.”
IDIQ’s goal is to immediately alert victims when their data has been exposed. Because once a breach happens, Glennon said it is difficult to stop fraudsters from misusing member data.
“If you are not getting an alert when someone is taking out a loan in your name to buy a truck, then you have no way to find that out and challenge it,” said Glennon. “The next thing you know a year is gone and suddenly something comes in the mail and you see evidence that somebody has bought a truck in your name.”