Published June 21, 2006
SAN FRANCISCO – Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies.
The latest breach dates back to February when San Francisco-based Visa began notifying banks of a security problem affecting a U.S.-based contractor that processed automated teller machine transactions.
Visa, one of the nation's largest issuer credit and debit cards, publicly acknowledged the trouble Tuesday in response to media inquiries prompted by Wachovia Bank's decision to replace an untold number of debit cards issued to its customers.
Charlotte, N.C.-based Wachovia issued the card replacements last week as an antifraud measure, said bank spokeswoman Mary Beth Navarro. She declined to explain the circumstances that triggered the action after several months.
Visa also gave out few details about the incident. Thousands of banks have issued millions of debit cards bearing the Visa logo.
In a statement, Visa said it is working with its member banks and authorities "to do whatever is necessary to protect cardholders."
Under Visa's policy, consumers aren't held liable for any unauthorized purchases made with their cards.
Visa's security headache is hardly isolated.
In recent years, a wide ranges of businesses and bureaucrats have fumbled away Social Security numbers and other sensitive information that could be used to tap into the finances and credit records of unwitting consumers.
In one of the most far-flung breaches to surface so far, the Social Security numbers and other personal information of 26.5 million U.S. military veterans was stolen last month when an employee took some digital data to review at home.
Visa has encountered security problems with other contractors besides the ATM processor that triggered the February alert.
CardSystems Solutions Inc., a payment processor used by both Visa and rival MasterCard International Inc., suffered a lapse that exposed up to 40 million credit and debit card accounts to potential abuse between August 2004 and May 2005. The thieves are believed to have grabbed data from a small fraction of those accounts.
Visa and Wachovia weren't even the only major financial services companies owning up to security breaches on Tuesday.
Equifax Inc. (EFX), one of the nation's three major credit bureaus, said a company laptop containing employee names and Social Security numbers was stolen from an employee who was traveling by train near London.
The theft, which could affect as many as 2,500 of the Atlanta-based company's 4,600 employees, happened May 29 and all employees were notified June 7, spokesman David Rubinger said.
Employee names and partial and full Social Security numbers were on the computer's hard drive, though Rubinger said it would be almost impossible for the thief to decipher the information because it was streamed together.
"It would be very difficult to link this information and determine they were actual Social Security numbers in the first place," he said.
No other employee information was on the computer, he said, and there was no customer data on the computer.
Equifax's breach was similar to another one involving a laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees.
That computer was stolen last week from the Washington home of an employee of ING U.S. Financial Services, according to officials with the company, which administers the district's retirement plan.
The laptop was not password-protected and the data were not encrypted, officials have said.