A database containing the names, addresses, social security numbers, and credit and debit card numbers of PenFed members was hacked, according to a letter the credit union sent to the New Hampshire attorney general.
The letter said that 514 PenFed members from New Hampshire were affected by the data breach, but it did not indicate how many members were affected overall. Paul Roberts, a security researcher with Kaspersky Lab, estimated that “tens of thousands” of PenFed members could have been affected by the data breach.
PenFed said it became aware of the data breach on Dec. 12, 2010, when it discovered a laptop had been infected with malware that permitted unauthorized access to its member database. The credit union stressed that it had "no indication that the personal information of affected individuals involved in this incident has been misused.”
PenFed sent out letters to the customers affected by the data breach on Jan. 4, 2011, and offered two years of credit monitoring services provided by Kroll.
“We learned [in mid-December] that some of our valued members’ sensitive information was accessed and/or obtained from our computer system without authorization. This information may have included your name, social security number, credit card number and/or debit card number. No personal identification numbers (PIN) or passwords were accessed and/or obtained. We have reissued all credit and debit cards relating to those members whose account information may have been improperly obtained”, wrote Roderick Mitchell, PenFed executive vice president of operations, in the letter to affected members.
“Once we discovered the unauthorized code, we took immediate action to eliminate it. We have identified the means by which the information was accessed and have taken appropriate steps to prevent this from recurring”, he added.