MCUA Urges Credit Unions to Take Action on Heartbleed
Credit unions in Missouri are urged to take immediate action to address Heartbleed—a security flaw in OpenSSL software. This flaw may allow unauthorized access to passwords or other sensitive data on websites, email, online banking and network services. Initial estimates suggest nearly two-thirds of encrypted websites could be affected.
MCUA and iVia Exchange Services Reviewed
The Missouri Credit Union Association (MCUA) conducted reviews of the MCUA website and systems. iVia Exchange Services also took immediate action to review products and security. At this time, no vulnerabilities have been identified. MCUA received notifications from LSC Card Services and CO-OP Shared Branching stating no vulnerabilities have been identified in their systems.
MCUA issued a compliance and technology alert to all member credit unions and iVia Exchange Services sent notices to customers on April 11.
Credit Union Response Needed
The Federal Financial Institutions Examination Council (FFIEC) directed financial institutions to “incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability.”
Credit unions must take immediate action to mitigate the potential risk to systems and data. Use the following links to access information from the FFIEC:
- Advisory Letter—http://www.ffiec.gov/press/pr041014.htm
- Vulnerability Alert—http://www.ffiec.gov/press/PDF/OpenSSLAlert041014.pdf
CUNA Mutual issued a Risk Alert and other insurers and vendors may have issued alerts or other information regarding their systems. Credit unions are encouraged to consult these sources and contact vendors for additional information.
It is critical that credit unions ensure member-facing systems are analyzed for any susceptibility to the “Heartbleed” vulnerability. Also verify through all vendors that their systems have been analyzed and patched or otherwise repaired if necessary.
For More Information
Credit unions needing additional guidance are urged to contact Eugene Widel, vice president of MCUA's Information Technology, at 314-542-1337 or via email.