A dozen of the Utah-based financial institution's employees uncovered suspicious activity on 20,000 debit cards two weeks ago. When the credit union investigated employee reports, it found that a skimming device had been used at an unnamed retailer sometime between October 2013 and February 2014 to obtain data from the debit cards.
America First started sending out email notifications to the customers affected on Wednesday. The credit union also notified Visa, which is investigating the security breach as well.
Customers will receive a new debit card and PIN via mail, though existing debit cards can still be used as credit cards. The credit union will monitor transactions on the accounts, the report said.