CHAMPAIGN — Some holders of debit cards issued by the University of Illinois Employees Credit Union were caught by surprise last week when the credit union canceled the cards without prior notice.
The credit union took the action Thursday after it learned those card holders' information had been compromised as the result of a security breach at Schnucks supermarkets.
Greg Anderson, senior vice president of the credit union, said about 3,400 debit cards and about 1,400 credit cards held by credit union members had been compromised as a result of the Schnucks breach.
The credit union was one of many financial institutions scrambling to contain fraud once the security breach became apparent.
At the UI credit union, new credit cards were ordered April 23 for affected customers. Those customers could continue to use their old cards until they received new ones, Anderson said.
But debit-card holders couldn't use their cards after the credit union moved to block those Thursday.
Anderson said the credit union sent emails to customers informing them of the action, in cases where email addresses were available for customers.
In cases where no email addresses were available, phone calls were placed. But in about 100 of those cases, the phone numbers listed were no longer valid.
Anderson said the credit union canceled the debit cards after a "tsunami" of fraud reports came in last week.
"The activity really accelerated once it was reported by Schnucks on April 15," he said.
Anderson said the credit union tried to accommodate debit-card customers through other means, waiving the fee on Visa travel cards that would enable people to get cash. The credit union also participated in "share branching" with credit unions elsewhere so people could get cash at other locations.
Not all holders of debit and credit cards issued by the credit union were affected, Anderson said. It turned out only about one of every four UI Employees Credit Union cardholders had used their cards at Schnucks in the December-to-March period in which information was compromised.
Anderson said if circumstances similar to last week's were to occur, he would try to communicate earlier with customers — letting them know the credit union was investigating the circumstances and there might be cause for the credit union to block the cards.
"We apologize for the impact on people," he said, adding the credit union had received both support and complaints from members.
The number of cases of fraud being reported at the credit union has slowed down this week, Anderson said.
"We think we've stopped the leak," he said. "Monday and Tuesday, it was very much back to normal."
Anderson said the cost of the fraud "falls on the financial institution," not the merchant, the processor or the cardholder.
The credit union is still gathering information on how much the fraud cost it, but Anderson estimated it in the "tens of thousands" of dollars.
Any chances for recovery through the courts is likely to be only "fractional," he added.
Anderson said it's not the largest card-fraud case the credit union has encountered. That distinction goes to a 2008 case in which information on cards processed by Heartland Payment Systems was compromised.