Wednesday, February 15, 2006

Office Max Denies Being Hacked in Debit Card Breach

Last week, I got a rather unfortunate letter from my bank. It informed me that they suspected fraud on my debit card, which turned out to be true.

After a little research of the available media coverage and my own shopping habits, it seemed to me that I could reasonably deduct where this all started at.

Last weekend, I had a feeling that Office Max was going to be discovered as the point of compromise and did this post: Is Office Max the Point of Compromise in the Debit Card Theft Case.

On Monday, David Lazarus of the San Francisco Chronicle reported Office Max as being the point of compromise. The Chronicle and David Lazarus have been instrumental in breaking this story despite all the "no comments" from the financial industry.

Here is the story from the Chronicle naming Office Max:

OfficeMax at center of major data-security breach with debit cards

The saga continues and Channel 5 of the San Francisco Bay area is now reporting:

"As OfficeMax denies that its computer systems were hacked and that customers' financial information was stolen, investigators are looking into the possibility that the same kinds of cyber thieves may have struck again at Sam's Club."

"But the FBI confirms it is investigating the possible theft of OfficeMax customer data that led to several major banks canceling thousands of debit cards."

On a even more ominous note, Channel 5 reported:

"The FBI fears the stolen money is going to international organized crime rings, or even funding terrorist organizations."

For the full story from CBS 5:

Sam's Club Customers' Credit Card Info Exposed

California State Sen. Jackie Speier, D-Hillsborough has already expressed concern that California's strict disclosure laws might have been violated AND now the Financial Times is reporting:

"Barney Frank, the senior Democrat on the house financial services committee, said on Wednesday he would consider legislation to require credit card companies to name the party responsible for consumer data breaches."

Here is the story from the Financial Times:

Credit card handling lapses spur regulatory effort

It's been established and reported that Visa and Mastercard admitted to knowing that the breach occurred at a retailer, but wouldn't identify which one. This lead to a lot of speculation in the press that Sam's Club (another recent breach) was the source.

Of course, based on my personal experience, I know I have never bought anything at Sam's Club.

The most recent reports are saying that the FBI is investigating to see if a tie between the two cases exist. This makes more sense to me. When I was following this story, I noticed that the recent breach seemed to be Northern California specific, while the Sam's Club case has proven to cover different geographic areas.

This isn't to say that there isn't a tie. With all the data breaches in the past couple of years, it seems to me that highly organized gangs are maliciously attacking corporations to steal information.

It's going to be interesting to see how the legal part of this comes out.

Here is a pretty good explanation of California laws by the Privacy Rights Clearinghouse:

California Identity Theft Laws

In addition to this, there is also been a civil law suit filed for the California victims of the Cardsystems (Mastercard) breach. The lawsuit alleges that consumers were not notified in a timely manner.

Here is an article from CNet regarding this:

Lawsuit seeks disclosure in credit card heist CNET

Other notable "data breaches" in the recent past have been the Boston Globe, Choice Point, Wachovia Corporation, Bank of America, Time Warner and even educational institutions, such as Boston College and the University of California, Berkeley.

Office Max has the right to deny they are the source, but unless Channel 5 is mistaken, the FBI is on the case and they are looking at them.

I'm sure no one at these corporations, or institutions wished for the breach to occur. The question is, whether or not, keeping everything secret serves the public interest. When this story broke, it was because Bank of America got in front of it and addressed it. As a result, they probably took the initial heat, but as history is written, it might show they did the right thing. It's now very obvious that they were not the only financial institution, or retailer that had reason to suspect their customers might be in harm's way.

This is going to get VERY INTERESTING!

No comments: