More than 7.2 million credit union cards were affected by the recent Home Depot breach, costing credit unions nearly $60 million according to a survey by the Credit Union National Association (CUNA). Nearly 135,000 cards were from Georgia, with an estimated total cost of $1,081,105. 

CUNA estimates the total cost to credit unions (to date) of the Home Depot breach is $57.4 million.  

The results of the survey show the cost of the violation per card issued by credit unions was $8.02, which included costs for reissuing new cards, fraud and all other costs such as additional staffing, member notification, account monitoring and more. 

The compiled data is from 544 responding credit unions across the U.S. The responding credit unions collectively issued 14.9 million debit cards and 5.2 million credit cards, for a total of 20.1 million cards outstanding. That represents 28.2 percent of the 53 million debit cards issued by credit unions, 32.5 percent of the 16 million credit cards outstanding and 29.2 percent of 69 million cards outstanding.   

John Kerley, Chief Operating Officer of Cooperative Services, Inc., a service organization owned by 53 credit unions in Georgia said credit unions are taking the brunt of the fiscal damages incurred by data breaches.  

"Merchants, which allowed the breaches to occur, have no financial responsibility to make the consumer or the financial institution whole," Kerley said. "Financial institutions are the ones who bare the expense for the merchants' negligence. Financial institutions are held to a much higher standard."  

CUNA conducted a similar survey in the wake of a data breach at Target stores in December. That survey found the Target breach cost credit unions nearly $30 million and to date, credit unions have not been reimbursed for the costs they incurred as a result of the Target breach.   

"The cost to credit unions of data breaches - which seem to be occurring with increasing regularity - is rising, as the CUNA surveys clearly demonstrate," said CUNA President and CEO Jim Nussle. "The bottom line is that credit union members end up paying the costs, despite the fact that the credit unions they own had nothing to do with causing the breach in the first place."

Nussle added that all participants in the payment process have a shared responsibility to protect consumer data. 

"However, the law and the incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable," Nussle said. "Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others. Congress must act to protect consumers by taking steps to enhance data security standards for merchants."  

CUNA Chief Economist Bill Hampel, who conducted the survey, said the results show more than 80 percent of credit unions affected by the breach have reissued or will reissue all affected cards. Nearly one in five will reissue or have selectively reissued cards in response to member requests or other factors. 

Summary of survey results:

• 91.8 percent of responding credit unions were notified by their processor or network that some of their members' cards had been affected by the Home Depot breach. 

• The number of affected debit cards at reporting credit unions amounts to 11.4 percent of outstanding debit cards at those credit unions. CUNA estimates 6 million credit union debit cards were affected.

• The number of affected credit cards at reporting credit unions amounts to approximately 7 percent of outstanding credit cards at those credit unions. CUNA estimates 1.1 million credit union credit cards were affected.

The total number of affected debit and credit cards at reporting credit unions amounts to 10.3 percent total cards outstanding at those credit unions. CUNA estimates 7.2 million credit union debit and credit cards were affected by the breach.

• Responding credit unions report the following actions or plans concerning card reissuance:

• 80.1 percent will reissue or have reissued all affected cards.

• 18.5 percent will reissue or have selectively reissued cards in response to member requests or other factors.

• 1.4 percent do not plan to reissue cards.

• Credit unions report the following changes in call volume by members asking about the Home Depot breach, compared to normal for the time of year:

• 15.5 percent of respondents said call volume was normal

• 29.2 percent said call volume was up less than 10 percent  

• 34.7 percent said call volume was up by 10-25 percent

• 13.6 percent said call volume was up 25-50 percent

• 4 percent said call volume was up 50-100 percent

• 3 percent said call volume was up more than 100 percent 

• 36.6 percent of credit unions report having to increase staffing, additional overtime and more shifts as a result of the Home Depot data breach.

• Credit unions were asked to report three cost items related to the Home Depot breach: card reissuance, fraud and all other costs resulting from the breach. The amounts of reported costs across all responding credit unions per affected card at all responding credit union were:

• Card reissuance:          $2.64 per affected card.

• Fraud:                          $4.89 per affected card.  

• All other costs:            $0.50 per affected card.

• Total costs:                  $8.02 per affected card.

"Card reissuance is an expensive proposition, representing about a quarter of the total costs to credit unions of these breaches," Hampel said. "But our latest survey found that fraud is the most expensive component of costs, amounting to $4.89 for each card, or 60 percent of the total costs."