Debit card breach mystery deepens

An investigation into thousands of compromised debit cards that was widely reported last week appears to involve two of largest retailers in the US, according to multiple law enforcement and banking sources.

This week, two major banks joined a credit union in cancelling a combined 200,000 accounts belonging to debit-card holders. In letters to affected customers, Bank of America and Washington Mutual said they were cancelling debit cards because of a security breach at a "third-party" location. Officials from both banks and law enforcement agencies have refused to identify the location.

Sources now say that the case might involve two separate retail chains — one which has acknowledged a problem and another whose possible role is uncertain.

After receiving a call from ZDNet UK sister site CNET News.com about the investigation into the 200,000 cancelled credit cards, a Wal-Mart media representative refused to answer questions but called attention to a statement released by the company on 2 December, 2005. In the statement, Wal-Mart acknowledged that credit cards used by some customers who bought petrol at the company's Sam's Club stations between 21 September, 2005, and October 2, 2005, were compromised. Many Sam's Clubs also accept debit cards.

There are more than 500 Sam's Clubs in the United States, according to information on Walmart.com, but it is unclear how many sell petrol. The December statement also did not say whether the security breach was restricted to any region.

"The investigation began when the credit card issuers reported that some cardholders were reporting fraudulent charges on their statements," Wal-Mart said in its press release. "It is still in its preliminary stages, with no determination on how the data was improperly obtained."

Wal-Mart also said it had reported the case to the US Attorney's Office and the Secret Service.

But the trail doesn't end with Wal-Mart, said sources close to the investigation. As investigators began to look into the recent rash of unauthorised charges, they found that a large number of people whose debit cards were compromised had one thing in common: they previously had shopped at office-supply chain OfficeMax, said a banking source familiar with the case. Two law enforcement sources also said OfficeMax is part of the investigation but did not provide details.

None of the sources, who requested anonymity due to the ongoing investigation, knew for certain whether OfficeMax had suffered a security breach.

"We have not suffered any security breach to our knowledge," OfficeMax said on Friday.

According to one banking official close to the case, OfficeMax has been queried by at least one financial institution about the matter.

"This is why we don't reveal the names to the public," said the banking official who requested anonymity. "We're not sure which customers may have been ripped off in the Wal-Mart deal or whether OfficeMax was the problem."

The case is being investigated by the FBI and Secret Service, said FBI special agent John Cauthen, who works out of the bureau's Sacramento office. Cauthen declined to comment on Wal-Mart or OfficeMax.

Cauthen said Friday the FBI is working on a debit-card fraud case that was first reported by The Sacramento Bee  last November. In that case, the Golden 1 Credit Union cancelled about 1,500 debit cards after being alerted to possible fraud in the Sacramento area.

The credit union told customers that the fraud resulted in "counterfeit cards being made and used internationally". Golden 1 told the Bee that it closed accounts after discovering unauthorised withdrawals at ATMs in the UK, Russia and South Korea. Golden 1 also said that not all the debit cards cancelled had unauthorised withdrawals on them, but all were used at an unidentified Sacramento business in the fall of 2005.

Someone working for that merchant is suspected of pilfering account and personal identity numbers from the cards, the Bee reported.