Cyber Heist Could Cost Consumers
April 21, 2006 — -- After their banks quietly informed them their debit card and bank information may have been stolen, thousands of Americans could lose as much as $500 in money taken from their accounts.
In possibly the biggest incident of debit card hacking theft, thousands of U.S. consumers have been told that their bank accounts may have been compromised by computer hackers who stole debit information and personal identification numbers (PINs) from their bank accounts.
"This is the worse debit-PIN breach that has been reported to date," said Avivah Litan, analyst and digital banking expert at Gartner.
During the past few weeks, banks across the country quietly informed consumers who may have been victimized by the breach, which occurred more than a month ago.
Litan said that 200,000 to 300,000 consumers may have had new debit cards issued, and the banks reportedly monitored account activity for the consumers at risk. But some consumer groups questioned why the notification letters were not more specific about the details of the breach, such as whether it was a specific merchant whose security was compromised.
"The letters seem to be pretty vague. They're not being told where the breach occurred. The notices tell them that something happened, but it won't tell them where or how," said Gail Hillebrand of the nonprofit group Consumers Union. "If you're a consumer, it would help to know which retailer made your information available, because maybe you wouldn't want to shop there again."
One privacy expert said that banks and retailers often wrangle over the particulars of notifying consumers when a security breach occurs.
"No one wants to send out a security breach notice," said Chris Hoofnagle of the Electronic Privacy Information Center. "You instantly become a pariah, and the fear is that you'll start to lose customers."
Unlike credit cards, which by law hold consumers responsible for only $50 in the case of theft, card issuers can hold debit card holders responsible for up to $500 when their money is stolen. Electronic money transfers, including debit card transactions, are governed by a Federal Reserve Board regulation known as Regulation E. One of its stipulations puts the onus on consumers to report irregularities with electronic transfers. If consumers fail to notify card issuers about breaches in a "timely fashion," the card issuer could hold the consumer responsible for up to $500.