November 17, 2008 – Phishing Alert

We have received notification from our CURewards™ merchandise vendor, Hinda Incentives, regarding an investigation of a potential systems breach.

While Hinda has not fully completed their investigation of this incident, we have received the following information from them: NO ACCOUNT NUMBER INFORMATION IS AT RISK AND NO MEMBER PASSWORDS ARE AT RISK. ALL ACCOUNT NUMBER INFORMATION AND PASSWORD DATA IS FULLY ENCRYPTED WITHIN THE HINDA ENVIRONMENT.

The attack on the Hinda system environment was targeted at the CURewards™ website that credit union members visit for general information and rewards redemption. Hinda’s investigation indicates that the attackers were successful in gaining access to the supplemental security questions used to facilitate the reset of forgotten passwords. Only credit union cardholders who completed the online rewards registration process are potentially affected.

As a result of this incident, the attackers would have clear access to the member’s name, email address, user ID, address and ship to address. As mentioned above, no passwords or account numbers are at risk. In addition, the website’s forgotten password functionality has been disabled. This action, in essence, nullifies the attacker’s ability to use the supplemental security question information obtained through the attack.

Hinda will be initiating a procedural change that will require the currently registered website rewards users to re-register online. The re-registration process will require users to choose new and different supplemental security questions and, as a result, a new password will be required to be selected. Users will see a prompt on the website instructing them to re-register as part of an enhancement to Hinda’s online security.

We will be providing continuing updates on this situation as additional information becomes available.

Please contact Cardholder Services at (800) 654-7728 with any questions. Thanks!

Comments are closed.