Hawaii Community Federal Credit Union employees improperly accessed the names, addresses and last four digits of Social Security numbers of “several hundred” Hawaii Community Federal Credit Union members, President James Takamine said Tuesday.
The data breach happened nearly a year ago. The credit union did not notify members until this week, while an independent attorney conducted an investigation, Takamine said.
The credit union posted a letter on its website Friday, and mailed the letter to credit union members late last week, informing them of the data breach Takamine said happened April 2011.
“At this point, it doesn’t appear there’s any risk for identity theft,” Takamine said. “We did not authorize nor do we condone the breach of trust. We are dealing with this issue aggressively.”
The credit union has about 40,000 members. Fewer than 500 had their account information accessed, Takamine said.
Takamine said account information and full Social Security numbers were not accessed. A credit union member filed a complaint last year, after becoming suspicious during the credit union board nomination process. Takamine said employees added names to nominating petitions, then went to credit union members to have them sign the petition.
Takamine said a “handful” of employees were involved in the data breach. Disciplinary actions were “up to and including termination,” he added.
Information from the internal investigation has been forwarded to federal authorities, he said. Those investigative authorities will determine whether any criminal charges may result from the incident, the credit union’s letter said.
The credit union also notified the National Credit Union Administration. A spokesman for the NCUA did not respond to a request for comment Tuesday.
Credit union employees will go through a new training process to reinforce policies that prohibit accessing members’ information. Officials are also reviewing the credit union’s policies and procedures, Takamine said. Credit union employees will also be able to report, anonymously, any suspicions they have about co-workers who may be improperly accessing information via a new website, he added.
Karen Barney, program manager for the Identity Theft Resource Center in San Diego, Calif., agreed with Takamine’s assessment that credit union members should not worry about identity theft, based on the information that was accessed.
“It’s always good to be conscientious,” she said, adding names and addresses can be found in telephone books, for example.
This kind of breach does not trigger immediate notification of members, she added.