Recently, my son and I were informed by USAA of a suspected data breach. They informed us via their inbox, in a message titled "Notification of New Debit Card", the information at the bottom of this message.
I reached out to USAA to ascertain three items: Where was my data when it was exposed, what information was exposed, and who reported the exposure to you?
The answer I received from the customer service representative and from Ron of the executive resolutions division is that a merchant informed USAA of a data breach. USAA is unwilling to help me protect myself by disclosing the merchant. USAA appears to only be concerned with limiting their liability due to fraudulent charges.
Why would a bank, USAA, that targets only military members and their families withhold critical information that could protect the very members that keep them in business? I want to know which merchant allowed my personal information to be exposed so that I can reduce my vulnerability. USAA's representatives state that the company's policy is not to disclose which merchant reported the breach. In my opinion this policy is a business protecting a business and disregarding the safety of its members.
USAA didn't even reach out to me personally to give me insight into why they are sending a new card. I had to call them and spend 30 minutes of my time on the call to get an insufficient amount of information regarding what I should do to protect my data from a future breach by the same merchant. My belief is that USAA should be financially responsible for any future breach of this kind from the same merchant since they chose not to aid me in protecting my information. How can I request that the merchant remove my information from their systems if I cannot determine who they are? Why would said merchant disclose to a bank that they had a breach and not to the customer, me, that they had a breach?
We've identified that your USAA debit card information, such as your name, card number and expiration date, may have been obtained by unauthorized individuals through non-USAA systems. Your card information was possibly obtained through a retailer where you shopped or dined, or by other fraudulent activity.
To reduce the risk of unauthorized transactions, we're replacing your debit card ending ####. We'll send you a new card with a new card number, security code and expiration date, and you'll receive it within 10 business days. To keep track of this new card order, review your card mailing status. Along with the card, we'll provide information about the steps you should take to activate your card and reminders for ensuring all preauthorized or recurring transactions are honored, such as providing merchants with your new card number and expiration date for recurring transactions.
Your Current Card
Your current card will only remain active up to 30 days, or upon activation of your new card, whichever occurs first. After you've activated your new debit card, please destroy your current card.
Protecting You From Unauthorized Transactions
Rest assured that you're protected by our zero-liability policy. A password is the first line of defense against cybercriminals. We recommend using multifactor authentication (MFA) as an added layer of protection. Learn more about MFA at usaa.com/MFA.
If you'd like to speak to us about this matter, please call us at [protected].
Additional information about zero-liability protection: You are not liable for unauthorized use of a debit card if (1) your account is in good standing, (2) you have exercised reasonable care in safeguarding your card from loss or theft, and (3) you have not reported to us 2 more unauthorized use events in the past 12 months. "Unauthorized use" means the use of a debit card by someone other than an account holder without actual authority to use the debit card. It does not include use of a debit card (1) by a person who was furnished the card by an account holder unless the account holder notified us that transfers by that person are no longer authorized or (2) with fraudulent intent by an account holder or any person acting in concert with the consumer."