Information about Merchant Data Breaches

A merchant data breach is an intrusion into a merchant’s computer system(s) or access to physical cardholder data where unauthorized disclosure, use, destruction or theft of cardholder data is suspected.

Data breaches can happen accidentally, as they do when a security system fails, or because of theft of electronic data, equipment or documents. A system failure might happen because of a software application security malfunction, failure or breach of card processing security protocols. Data breaches can also happen because criminals target secure information to gain unauthorized access, whether through phishing or social engineering attacks, hacking or other means.

When KeyBank is notified of a merchant data breach that may impact our clients’ cards, we do not receive detailed information about the specific merchants involved or the nature of the breach. Since the breach happens outside of KeyBank and its systems, we do not have specific details of what occurred. KeyBank is only alerted that a card appears on a list of cards potentially compromised by a data breach at another business, merchant, or institution where the card was used. When that happens, we take proactive action to reissue those cards as a precaution.

To safeguard your information, we use:

• Industry-leading cybersecurity tools, practices and technology
• Multifactor identification practices that protect clients’ identities
• Our Cyber Defense Center, which tracks the latest threats
• Our Fraud Prevention Services group, which monitors client accounts proactively for suspicious activity

There are some best practices you can follow to keep your accounts as secure as possible. Make sure to keep your account information private, choose complex passwords for online accounts and update them regularly. To learn more about staying secure, please visit our consumer security page.

To stay informed about your account activity, we recommend that you monitor your account regularly in online and mobile banking. You can review your statements whether you receive them by mail, online or at an ATM. You can also call us to check recent transactions.

In addition to monitoring your account activity regularly, you can choose to receive Account Alerts via texts or emails from KeyBank when certain activities happen on your accounts. Alerts reduce the risk of identity theft and fraud by letting you know when a change has been made to your account.

If you notice an unauthorized transaction on your account, report it by calling 1-800-KEY2YOU^® (1-800-539-2968) and following the prompts for fraudulent activity.

KeyBank may call you to verify recent account transactions when suspicious transactions are noticed. We use best practices for security when we call clients, so when we contact you, we will never ask you to provide or verify your:

• Full Social Security or account numbers
• One-time password
• Username or password
• Answers to security questions over the phone

When you initiate an interaction with KeyBank, we may ask for your information, such as the last 4 digits of your Social Security number, login ID, or a one-time passcode to verify your identity. However, be cautious of unexpected requests by phone, text, or email for full Social Security number, login ID, or other personal information when the communication was not initiated by you. Verify these requests by contacting a known KeyBank resource (e.g. a local branch, 1-800-KEY2YOU^®) before providing any sensitive information.