LOS ANGELES-Law enforcement agents believe hundreds of thousands of dollars being withdrawn from ATMs in California are related to the data breach announced recently by Michaels Stores.
Sources told Credit Union Journal last week they have connected unauthorized cash withdrawals in California with debit cards that have been exposed by Michaels, which announced last week it discovered malware on at least 90 of its 1,200 store terminals had exposed tens of thousands of cards to potential fraud.
Two class action suits filed since claim their cards were used in California, thousands of miles away, to withdraw cash from their accounts. In one case, a woman said she used her debit card at the Vernon Hills, Ill., Michaels store for an $18.16 purchase on March 16 and discovered two cash withdrawals totaling for $503 each, one in Duarte, Calif., and the other in Monrovia, Calif. The lawsuit noted that on May 5, almost three months after the skimming began, Michaels sent a belated alert to some customers. The lawsuit said the payment equipment might have been tampered with as early as Feb. 8. It said about 90 PIN pads showed signs of tampering.
Steve Ruwe, a fraud expert at credit union-owned PSCU Financial Services, which processes cards for 1,500 credit unions, confirmed the suspicions. "I believe it is," Ruwe said of the possible connections between the California ATM withdrawals and the Michaels breach. He said Visa and MasterCard has flagged 13,000 credit union cards as potentially breached but that fraud has minimal so far. But almost all of the $25,000 of fraudulent credit union transactions connected to Michaels has come as California ATM transactions. "The relationship is too coincidental," said Ruwe, PSCU's chief risk officer and former vice president of risk at Visa.
But he doubted whether the people accessing the accounts are part of a coordinated ring that is withdrawing the cash. "Frankly, the guys that are stealing the [debit card] numbers through technology are not the guys taking the money out," Ruwe said.
In breaches such as this Visa and MasterCard generally send processors PSCU Financial, CO-OP Financial and Card Services for CUs, and the affected credit unions, lists with the card numbers that are exposed. Then it is up to the individual credit unions to decide what to do. Some credit unions wait until they see evidence of fraud before they issue new cards, while others issue new cards immediately before they see fraud.
Numerous credit unions around the country have been reporting debit card breaches in recent weeks, while trying to determine the cause. Nevada FCU said last week it has blocked about 1,300 of its members' Visa debit cards and had about 100 cases of fraud it believes is related to the Michaels case.
PSCU's Ruwe said he believes the Michaels terminals were access internally by the malware, and not externally by little skimming devices attached to the payment machines. "You don't go to 90 stores and place skimmers on them," he said. "It had to be some kind of malware."
