TCF Financial Corp. is issuing new debit cards to customers whose information was stolen in the Target data breach as fallout from the giant holiday cyberheist continues.
TCF is the largest Minnesota bank to take the replace-them-all approach, joining banks such as JPMorgan Chase & Co., which quickly said it would replace 2 million cards after the breach became public in mid-December. Several Minnesota credit unions have taken the same approach.
Wayzata-based TCF, known for its huge stash of checking accounts relative to its size, is in the process of sending letters and e-mails informing customers of the change, and telling them when they can expect to receive a new card, a bank spokesman said. The bank won’t say how many cards it’s reissuing, but said most are debit cards.
TCF emphasized that it won’t deactivate existing cards until after customers receive a new one and activate it. “Once the new card is activated, their old card is immediately voided,” spokesman Mark Goldman said.
Customers don’t have to change their personal information number (PIN) if they don’t want to, said TCF Vice Chairman Tom Jasper, adding that the decision to reissue cards was in the “mutual best interest” of the bank and customers.
“We’re willing to incur the full cost of replacing cards because it gives our customers greater confidence that their financial information is secure, and they won’t be victims of fraud related to the Target breach,” Jasper said.
The 19-day breach, linked to malware on point-of-sale terminals in Target’s U.S. stores, gave thieves access to the credit and debit card information of 40 million people who bought merchandise in stores between Nov. 27 and Dec. 15. The cybertheft remains under investigation by Target, a forensics firm the retailer is working with, the U.S. Department of Justice and the Secret Service.
The intrusion quickly became a nightmare not just for Minneapolis-based Target Corp., but for banks, credit unions and other financial institutions.
“The massive amount of customer service work by banks that goes into managing these merchant breaches … we can’t recover that,” Jasper said.
At least one is trying
A small Alabama credit union on Thursday filed what is believed to be the first lawsuit by a financial institution against Target over the breach, claiming that the nation’s No. 2 discount retailer failed to adequately safeguard private customer information and burdened the credit union with the cost of closing accounts and reissuing new cards. The Alabama State Employees Credit Union is seeking class-action status on behalf of all financial institutions.
“Plaintiff and class members were required to expend time, energy and expense to address and resolve these financial disruptions and mitigate the consequences,” the lawsuit reads.
The complaint doesn’t put a specific dollar amount on the credit union’s losses. So far, actual costs are less than $100,000, “but it’s growing every day,” said Dee Miles, the credit union’s lawyer at Beasley, Allen, Crow, Methvin, Portis & Miles in Montgomery.
Under the first-to-file rule, the Alabama credit union complaint could take priority over other lawsuits by financial institutions seeking class-action status.
“The real question is will all the banks and other financial institutions allow a credit union to stand in their shoes for them as a class representative?” Miles said.
TCF declined to comment on the lawsuit, as did JPMorgan Chase & Co. Key banking industry groups were unavailable to comment Friday.
One Minnesota credit union leader said he thinks it’s too early to file a class-action complaint. Nick Meyer, president and CEO of Minnesota Valley Federal Credit Union, a $100 million credit union in Mankato, said he has ordered about 1,500 new credit and debit cards for members as a result of the breach. But the disruption to its operations is “manageable,” he said.
“Target’s a top company,” Meyer said. “We’re all kind of in this together.”
“We haven’t seen any fraud because of the compromise … yet, at least,” he said. “We’re monitoring very carefully.”