Breach in security reaches 2d credit firm
MasterCard, Visa refuse to identify retailer whose computer system was hit
The scope of a computer system breach at a national retailer widened yesterday to involve the customers of a second major credit card firm, but those companies refused to divulge the name of the retailer.
The existence of the security breach first surfaced this week when HSBC North America began notifying 180,000 of its GM MasterCard customers that their credit card information had potentially been compromised. HSBC, which issues the GM cards, urged each customer to replace their card as quickly as possible.
MasterCard officials said yesterday they uncovered the breach and informed member banks of its existence, but they said it was up to each bank to determine how it wanted to respond.
A second company, Visa USA, late yesterday said it had been notified by the same merchant that a data security breach had occurred, potentially exposing the credit card data of Visa customers to thieves. Visa said it would begin working with the merchant, law enforcement officials, and member banks to monitor and prevent card-related fraud.
Both MasterCard and Visa said they would not disclose the name of the US-based retailer where the breach occurred.
''Because of the nature of the ongoing investigation, MasterCard cannot disclose specific details," the company said in a statement. ''If MasterCard cardholders are concerned about their individual accounts, they should not hesitate to contact the banks that issued their cards."
MasterCard stressed that all cardholders are protected by the company's zero liability policy for unauthorized transactions on their accounts. Visa's statement offered similar assurances, but did not say whether member banks would being issuing replacement credit cards.
Officials at American Express and Discover Card could not be reached for comment.
News of the breach at the unidentified national retailer surfaced as the Senate Judiciary Committee held a hearing in Washington where lawmakers vowed greater regulation of personal data brokers and also pledged to pass legislation requiring companies to notify consumers when their personal data are compromised.
''There will be some very firm federal legislation coming out of this issue," said Pennsylvania Republican Senator Arlen Specter at the conclusion of the Judiciary Committee hearing. Specter chairs the committee.
Two bills are pending, both of which would require consumers to be notified when a breach of personal information occurs. The bills are modeled along the lines of a California law that mandates disclosure.
Senator Dianne Feinstein, Democrat of California, the sponsor of one of the bills, said most consumers don't become aware that companies are constantly gathering personal information about them until the information is stolen and they become a victim of identity theft.
''Of the 12 big breaches of databases that took place this year and during last year, the personal data of 10.7 million Americans has been put in jeopardy of identity theft," she said.
Officials at ChoicePoint, LexisNexis, and Acxiom testified at yesterday's hearing about past security breaches at their companies and efforts to prevent them in the future. Other institutions that have reported breaches recently include Boston College, Tufts University, and Bank of America.
J. Craig Shearman, a spokesman for the trade group National Retail Federation, said his organization did not know which retailer experienced a breach of its computer system. He said the retailer may be keeping quiet at the request of law enforcement as an investigation is conducted.
Last year, BJ's Wholesale Club said that it and law enforcement authorities were investigating whether its computer system was compromised after some credit card information was stolen. The company said only a small fraction of its customers were affected, but it prompted many banks to reissue thousands of credit cards to customers.
Tom Nicholson, a spokesman for HSBC, said yesterday that the bank was urging less than 1 percent of its customers to replace their credit cards. Nicholson said the company identified the affected customers using a merchant code that did not identify the name of the retailer.
Nicholson said letters were immediately sent to 12,000 GM MasterCard cardholders and would be sent to a total of 180,000 by mid-May. The letters indicate GM MasterCard had seen no evidence of fraud yet. ''We are probably being very cautious," he said.
Bruce Mohl can be reached at mohl@globe.com. 