(June 3, 2008) South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion, a bank executive tells Digital Transactions News.

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. “We immediately saw that and shut it down,” says Seitz.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach. Exactly how the hackers tapped the server isn’t publicly known. They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Seitz wouldn’t disclose the size of the debit card file, but says the bank is reissuing all cards, which are MasterCard-branded, as a precaution. 1st Source also is offering customers free credit-report monitoring for a year. Seitz would not say whether the hackers broke into the server only on May 12.

In addition to monitoring debit card transactions as they come through, the bank has “shut some things down, and we’re working with all of our vendors to strengthen our systems,” says Seitz. He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.

While merchants such as TJX Cos. and Hannaford Bros. Inc. in the past couple of years have been the sources of the most publicized breaches of payment card data, the 1st Source hacking shows that card issuers also are vulnerable to high-tech thieves. “I do know that it occurs” Annmarie “Mimi” Hart, chief executive of MagTek Inc., a Carson, Calif.-based provider of payment-processing hardware, software, and security systems, tells this newsletter’s sister publication, Digital Transactions magazine, in an upcoming story about issuer security. Hart wouldn’t identify any issuers that have been hacked.