Wachovia Exposes Latest Card Fraud, But More Banks Likely Ensnared

Wachovia Corp., some of whose debit card holders have been victimized by a data breach that happened several months ago, began sending notices and replacement cards to those customers recently because it began to see signs of fraud after months of monitoring the accounts, the bank says. Although Wachovia's action made the breach public knowledge, observers say the bank is not likely to be the only financial institution whose debit cards have been compromised in this latest incident of leaked card data. As has been the case with previous incidents, it's unclear exactly when this breach occurred. It's known that it happened months ago because Visa USA quietly issued a member alert about it in February. A Wachovia spokesperson tells Digital Transactions News the bank began monitoring transactions as soon as the Visa alert came out, but apparently nothing happened at first. “Very recently we began to see some fraudulent activity on the cards,” the spokesperson says. So last week, the bank sent a letter and replacement card in a single mailer to each of an unspecified number of customers. The spokesperson would not discuss the amount or nature of the fraud. Customers will not be liable for any losses on the old cards. Visa would not comment about the incident beyond a prepared statement that reads in part, “Visa USA is examining a possible compromise at a U.S.-based ATM processor. Upon learning of the compromise, Visa quickly alerted the affected financial institutions to protect consumers through independent fraud monitoring and, if needed, reissuing cards.” Visa did not identify the ATM processor or say how the compromise occurred. The Wachovia spokesperson did not have the name of the processor. While Wachovia is the only bank publicly linked to the February alert, the fact that an outside processor is involved almost certainly means more financial institutions have fraud exposure from the incident. “There have to be more,” says a source who didn't want to be named. This new incident comes on the heels of a massive security breach that compromised an estimated 300,000-plus PIN-debit cards, believed to be the biggest one to date involving debit cards (Digital Transactions News, March 16). Sources, however, say that breach and this latest compromise probably are unrelated. Also, authorities in Montreal this week arrested 10 individuals they say used rigged point-of-sale terminals to swipe debit card data, including PINs, on some 18,000 accounts, leading to $4 million in illicit ATM withdrawals (Digital Transactions News, June 21). Last year, hackers breached the computer files of merchant processor CardSystems Inc., exposing 40 million card accounts and directly affecting about 200,000. The breach eventually led to the sale of CardSystems' assets to Pay By Touch Inc. Meanwhile, the risk of identity theft as the result of stolen computer hardware has dominated recent news reports. Credit-reporting agency Equifax Inc. disclosed this week that a company laptop containing names and full or partial Social Security numbers of possibly more than half of the Atlanta-based firm's 4,600 employees was stolen from an employee traveling in England, according to the Associated Press. Equifax notified employees about the theft, but said it would be very difficult for a thief to decipher the data because of the way it was formatted. In May, a laptop holding Social Security numbers of 26.5 million individuals?most veterans but also about 2 million current members of the military?was stolen in the burglary of a Department of Veterans Affairs data analyst's Montgomery County, Md. home. The analyst was not authorized to take the data home, the government says. Also, a laptop containing Social Security numbers and other data about 13,000 District of Columbia employees and retirees was stolen recently from the Washington, D.C., home of an employee of a financial firm, according to press reports.