To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39156408,00.htm

Wal-Mart caught in debit card enquiry?
Breach fears worsen...

By Greg Sandoval

Published: Tuesday 14 February 2006

An investigation into thousands of compromised debit cards that was widely reported last week appears to involve two of largest retailers in the US, according to multiple law enforcement and banking sources.

This week, two major banks joined a credit union in cancelling a combined 200,000 accounts belonging to debit-card holders. In letters to affected customers, Bank of America and Washington Mutual said they were cancelling debit cards because of a security breach at a "third-party" location. Officials from both banks and law enforcement agencies have refused to identify the location.

Sources now say that the case might involve two separate retail chains - one which has acknowledged a problem and another whose possible role is uncertain.

After receiving a call from silicon.com sister site CNET News.com about the investigation into the 200,000 cancelled credit cards, a Wal-Mart media representative refused to answer questions but called attention to a statement released by the company on 2 December, 2005. In the statement, Wal-Mart acknowledged that credit cards used by some customers who bought petrol at the company's Sam's Club stations between 21 September 2005 and 2 October 2005 were compromised. Many Sam's Clubs also accept debit cards.

There are more than 500 Sam's Clubs in the US, according to information on Walmart.com but it is unclear how many sell petrol. The December statement also did not say whether the security breach was restricted to any region.

Wal-Mart said in its press release: "The investigation began when the credit card issuers reported that some cardholders were reporting fraudulent charges on their statements. It is still in its preliminary stages, with no determination on how the data was improperly obtained."

Wal-Mart also said it had reported the case to the US Attorney's Office and the Secret Service.

But the trail doesn't end with Wal-Mart, said sources close to the investigation. As investigators began to look into the recent rash of unauthorised charges, they found that a large number of people whose debit cards were compromised had one thing in common: they had previously shopped at office-supply chain OfficeMax, said a banking source familiar with the case. Two law enforcement sources also said OfficeMax is part of the investigation but did not provide details.

None of the sources, who requested anonymity due to the ongoing investigation, knew for certain whether OfficeMax had suffered a security breach.

OfficeMax said on Friday: "We have not suffered any security breach to our knowledge."

According to one banking official close to the case, OfficeMax has been queried by at least one financial institution about the matter.

The banking official, who requested anonymity, said: "This is why we don't reveal the names to the public. We're not sure which customers may have been ripped off in the Wal-Mart deal or whether OfficeMax was the problem."

The case is being investigated by the FBI and Secret Service, said FBI special agent John Cauthen, who works out of the bureau's Sacramento office. Cauthen declined to comment on Wal-Mart or OfficeMax.

Cauthen said on Friday the FBI is working on a debit-card fraud case that was first reported by The Sacramento Bee last November. In that case, the Golden 1 Credit Union cancelled about 1,500 debit cards after being alerted to possible fraud in the Sacramento area.

The credit union told customers that the fraud resulted in "counterfeit cards being made and used internationally". Golden 1 told the Bee that it closed accounts after discovering unauthorised withdrawals at ATMs in Russia, South Korea and the UK. Golden 1 also said that not all the debit cards cancelled had unauthorised withdrawals on them but all were used at an unidentified Sacramento business in the autumn of 2005.

Someone working for that merchant is suspected of pilfering account and personal identity numbers from the cards, the Bee reported.

Greg Sandoval writes for CNET News.com