PenFed credit card woes

[Lakedog]

I got a call asking about a charge to my Penfed Visa this weekend -- someone in France tried to charge just under $500 to my card. I was told that the person actually had a credit card with my number that they attempted to use (in person) at a building supply store. This is my first issue with any credit card in the 30+ years that I have been using them. Guess it is not such a big deal other than the hassle of not having the card to use for a few days -- will have to dust off my old Chase Rewards card that has been inactive for a year or two.

 

[REWahoo]

When I started this thread in early October, one of my biggest complaints was when my CC account number was changed (fraudulent charges) I lost the ability to see past statement history online. I complained to PenFed about this in a series of emails saying they encouraged folks to opt for e-statements but no way was I going to do so if I ran the chance of losing access to them. They did agree after a couple of complaints to send me paper copies of all my past statements for the year on the closed account.

Today when I logged into PenFed to check my CC activity, I noticed they'd added a new feature. I can now see my all old (closed) CC account statements online.

Thank you PenFed.

 

[Lakedog]

When I complained about the same issue last month after my card was closed/replaced, they told me they were working on adding that feature very soon. They did send me all 2010 statements.

I also had a note on my account page today that they were issuing another Visa card in a few days and my current one (have had it for less than a month) would be closed as soon as I activated the new one. I'm wondering if they had another issue with information being lost or compromised? Anyone else have this message on your account today?

 

[REWahoo]

I also had a note on my account page today that they were issuing another Visa card in a few days and my current one (have had it for less than a month) would be closed as soon as I activated the new one. I'm wondering if they had another issue with information being lost or compromised? Anyone else have this message on your account today?

I had the same message.

Note that it said:

You may notice that you have been issued a new credit card account below.

I think the "may" is the operative factor in the statement. I saw no new account number, only my current and old numbers. My current card hasn't been canceled as I used it twice today after seeing the notice.

I'll bet the notice went to anyone who had a card reissued in the past and now suddenly has the ability to access their old statements online. You should get a phone call or email from the PenFed fraud folks before they change account numbers on you.

 

[Brat]

We just received an e-mail stating that they will be sending a new cc and implicitly new numbers. They said to update any auto payments charged to our current card once we have the new card in hand.

This isn't cheap so I presume they have had a security breach.

 

[Lakedog]

I had the same message.

Note that it said: I think the "may" is the operative factor in the statement. I saw no new account number, only my current and old numbers. My current card hasn't been canceled as I used it twice today after seeing the notice.

I'll bet the notice went to anyone who had a card reissued in the past and now suddenly has the ability to access their old statements online. You should get a phone call from the PenFed fraud folks before they change account numbers on you.

I had a third CC number listed, and they had already transferred all the current monthly charges to the new CC (that I have not received yet). I sent an email - the reply indicated that I could continue using my current replacement card until the new one was activated.

Not sure what is going on but at least my card worked today so guess I will get an explanation with the new CC. I received the call from the fraud folks on the previous replacement but no call this time.

 

[RunningBum]

I got a call this morning that about some charges on my PenFed CC. There were 6 or 8 that weren't mine, from a couple of places in the US and a couple in Europe. I think all were online. So I'm getting a new CC number, but not in time for my trip in a couple of days. Luckily I've kept a second CC.

I had gone to the local Outback just before the fraud started, I wonder if the waiter grabbed the number, or if it was just hacked from some online store's vendor or something like that.

 

[Sarah in SC]

I didn't get the call, but I just logged in and found, yes, I'm getting yet another new card in the mail. I guess I'm happy that at least I can access the old statements. This will be my second new card in less than six months.

 

[Buckeye]

Getting a new one also.

 

[REWahoo]

Not getting another new one (got one in October) but did get a call from the Penfed fraud folks earlier today. They wanted to verify a number of recent charges - all were legit.

 

[REWahoo]

Looks like I spoke too soon.

When checking my CC balance this morning I noticed I was issued a new CC number today. Unfortunately the transferred balance does not include the payment (in full) I made to the CC yesterday. The old card shows the correct payment amount, the new one shows the amount as a debit, which cancels out the payment. Sigh...

More emails and phone calls next week to straighten this out. I've enjoyed the 5% discount on gas for the cars and diesel for the RV, but my hassleometer has just about pegged.

 

[braumeister]

Don't worry about it.
I'm being issued two new card numbers from PFCU, and the double accounting has been going on for a couple of weeks now.

They can take 3-4 days to properly reconcile the entries between old and new cards when I check their website, but they always get it right with no prodding from me.

Still haven't physically received the new cards yet, but I'm not concerned since they said it was OK to keep using the old ones until I activate the new ones.

 

[target2019]

I'm storing the PDF statements that are online at PFCU. Also doing this with my AMEX statements.

I have also been notified that a new CC has been issued. I was thinking it was one of my merchants, but see I am wrong.

Oh well.

 

[Lakedog]

Got my replacement card today and also a separate letter about "a recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed". They are offering two years of access to ID TheftSmart through Kroll Inc. Figured something like this had happened since this was my second card replacement in two months.

 

[Rustward]

Saw this today: Malware snags Pentagon Federal CU member’s SSN and data | Office of Inadequate Security

"According to a letter sent to the state on December 30, on December 12, PenFed discovered that a laptop had been infected with malware. The compromise allowed access to a database containing names, addresses, Social Security Numbers, credit card and/or debit card numbers, and PenFed account numbers for PenFed members, joint owners, former members, employees, and beneficiaries. "

This is one that they know about. It makes one wonder what other breaches are undetected. At any rate, the user of this laptop is/was one of those "trusted individuals" with access to information.

Edit to add: I wish it were not so, but I am afraid that going forward this type of event is going to become business as usual until there is a major technology breakthrough in data security.

I bet the card issuers have gotten or will get very efficient at reissuing cards for possibly compromised accounts.

 

[REWahoo]

Thanks Rustward. Now we know why...

 

[braumeister]

This is why I have several credit cards. Imagine being on a foreign trip, when you really need a credit card, and suddenly find out your primary card has been compromised and frozen.
It has happened to me, once in England and once in Belgium.

My main card is the PFCU Visa, because of the great rewards program.
But I also have:
USAA MasterCard, which has a decent rewards policy
REI Visa, I buy a lot from them and using their card gets their annual rebate
Hilton Amex, because I frequently stay at Hampton Inns
PFCU Amex, to get that great signing bonus

When I travel, I carry all of them, just to be on the safe side. If one or two have a problem, I'm still covered with the others.

 

[Nords]

My main card is the PFCU Visa, because of the great rewards program.
But I also have:
USAA MasterCard, which has a decent rewards policy
REI Visa, I buy a lot from them and using their card gets their annual rebate
Hilton Amex, because I frequently stay at Hampton Inns
PFCU Amex, to get that great signing bonus

When I travel, I carry all of them, just to be on the safe side. If one or two have a problem, I'm still covered with the others.

Do you seen an effect on your credit rating?

I have four cards: two of which I routinely carry, a third with a credit limit I'll never qualify for again, and a fourth that used to be shared with my daughter before she was old enough to get her own.

Spouse has one credit card, and her credit score routinely comes in 20-30 points higher than mine.

I'm planning to get rid of the fourth card and I may even get rid of the third card. I figure a primary and a back up is "good enough". Anything beyond that may just be inviting trouble.

 

[target2019]

"We are writing to inform you of our recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed."

That's the first sentence of two-page letter received today. This is more serious than "a computer got infected."

I'm not impressed with PFCU at all. It is Jan 7th and this is first written notification. I received a phone call and an email, but no details given. As of today I don't have a replacement CC.

Just activated free 2-yr subscription to kroll's service for id protection. Now my personal information is safely stored at another company.

 

[Rustward]

"We are writing to inform you of our recent discovery of a data security breach in mid December 2010 in which some of your personal information was improperly accessed."

That's the first sentence of two-page letter received today. This is more serious than "a computer got infected."

I'm not impressed with PFCU at all. It is Jan 7th and this is first written notification. I received a phone call and an email, but no details given. As of today I don't have a replacement CC.

Just activated free 2-yr subscription to kroll's service for id protection. Now my personal information is safely stored at another company.

Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

 

[target2019]

Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

What do you base your statement on?

 

[M Paquette]

Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

Yup. Sadly, all it takes is an employee to plug an infected laptop into the corporate network. Any file server or database containing something that looks like credit card data will be spotted, reported up the botnet to it's operator, and likely pilfered within seconds. An exceptionally opportunistic operator will put a logger onto a machine within the network to provide a steady supply of new or updated records. (See the 2008-2009 Heartland Payment Systems hack...)

Very few companies operate their database/file servers on an isolated network, with no routes out to the Internet. The ones that think they do probably haven't checked for machines 'bridging' between the private net and one with Internet access. (Probably added by some IT type who wanted to play a little Farmville while shuffling the database backups...)

 

[harley]

Don't get too worked up about it. Anywhere else you could go has the same vulnerabilities.

What do you base your statement on?

I agree with Rustward, and I worked in network security for 15 years. This is par for the course. It sucks, but it can't be helped. Back when I was still paying close attention I would get a data security breach notification for some company or gov't agency pretty much every day. Security is important, but never as important as getting the job done. Except the military. They don't care how inconvenient it is to accomplish something, as long as it's secure. But not private companies, and not civilian gov't groups. It's just part of life.

 

[target2019]

I agree with Rustward, and I worked in network security for 15 years. This is par for the course. It sucks, but it can't be helped. Back when I was still paying close attention I would get a data security breach notification for some company or gov't agency pretty much every day. Security is important, but never as important as getting the job done. Except the military. They don't care how inconvenient it is to accomplish something, as long as it's secure. But not private companies, and not civilian gov't groups. It's just part of life.

I don't agree with the statement that "Anywhere else you could go has the same vulnerabilities." So I asked what that was based on. I don't doubt that you read daily security briefings, and all types of things were happening. I know that, since I read similar each day. I don't believe that all companies are this lax. I do know that many are, but exactly how many? In the past my wife's data has been lost a few times. Each time it was a healthcare company, and it was peculiar that the story was the same each time. An employee had a laptop, and lost it.

This penfed event is different. The letter says my personal information was improperly accessed. Notice the "was".

So the question, in this penfed topic, is whether the company has suffcient ISS layers of protection. My read on the incident is that penfed would not get high ratings on the security scale.

 

[Rustward]

What do you base your statement on?

Short answer is:
32 years in Data Processing / Management Information Systems / Information Technology