Despite new disclosure rules, information about customer data breaches is notoriously hard to obtain, but even by those standards, getting to the bottom of the one now on everyone's mind has been challenging.
Over the past few weeks several organizations, including American Banker, The New York Times, and the online technology news service CNet, have brought a smattering of details to light. However, many questions remain unanswered, and no coherent narrative has emerged.
The financial industry's interest in the breach of PIN debit data has ramped up again as several major banking companies confirmed that thousands of their PIN-based debit accounts were used for unauthorized transactions around the world.
The breach has garnered further attention because the thieves accessed, and used, encrypted PINs - a type of theft much more likely to hit individuals than large groups.
This article, presented in Q&A format, is meant to answer key questions about the breach and tie up as many loose ends as possible.
How did the breach occur?
The lead theory, according to sources close to the matter, is that hackers accessed servers at about 30 stores belonging to a large, national retailer and stole data from the cards' magnetic stripes, encrypted customer PINs (in a format known as PIN blocks), and the keys to decode the PIN blocks.
The criminals used the magnetic stripe information to create counterfeit cards, and the decrypted PINs to withdraw cash from automated teller machines, the sources said.
But others doubt that the thieves had access to PIN blocks. Jerry Silva, the service director for the retail banking and delivery-channel practices at TowerGroup Inc., a Needham, Mass., research unit of MasterCard International, said the thieves could have used a "brute-force" approach. If they had the magnetic stripe information and access to a point of sale terminal, they could have used software to test every possible combination until they found the correct PIN.
Though ATMs will generally halt a transaction when someone enters several incorrect PINs, many point of sale terminals do not.
How many people were affected?
So far sources close to the matter say at least 600,000 accounts could have been compromised.
Which retailer's systems were hacked?
There may have been more than one retailer, according to Eric Zahren, a spokesman for the Secret Service, who said the breach "involved a number of retailers and issuers." Mr. Zahren would not name them or discuss the status of the investigation.
Sources close to the investigation - and several published news reports - named OfficeMax Inc. of Itasca, Ill., which has consistently denied any involvement.
"We have no knowledge of a security breach at OfficeMax," Bill Bonner, a spokesman for the OMX Inc. unit, told American Banker last week.
Which banking companies are involved?
In addition to Citi, seven have confirmed their customers may have been compromised - Bank of America Corp., JPMorgan Chase & Co., Wachovia Corp., Wells Fargo & Co., Washington Mutual Inc., National City Corp., and PNC Financial Services Group Inc. All of them have said they would reissue debit cards to some customers.
When did the breach occur?
The banking companies involved say they do not know when it occurred, but Citigroup Inc. said that it spotted unauthorized transactions in mid-February from three countries, which it would not name. Several sources said the countries were Canada, the United Kingdom, and Russia.
What kind of losses are expected?
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., estimated the average loss at $1,000 to $2,000 an account.
Is the scope of the breach likely to get bigger?
Yes. Even if the banks were able to shut down every affected card, the thieves have probably completed transactions that victims have not yet noticed. Also, there may be additional banking companies that were involved but have not yet come forward.
Do retailers routinely store PIN data?
It's not clear that they do so routinely, but Mike Urban, the technology operations data center director for Fair Isaac Corp., confirmed that many retailers' systems are capable of storing PIN data.
According to Ms. Litan, many of those systems do so by default, so the retailer or retailers may not have been aware their systems were storing such data.
Don't card companies prohibit retailers from storing PIN information?
Yes. Retailers, processors, and any other parties involved in processing transactions may not store PINs, even if they are encrypted, according to section 3.2.3 of the Payment Card Industry Data Security Standard, which was developed by all the major card companies. The standard also requires companies to "restrict" access to encryption keys to the fewest number of parties possible, and to store the keys securely in the fewest possible places and forms.
Card companies can fine merchant acquirers if their merchant customers do not adhere to the standards, and Visa U.S.A. is considering imposing a fine on B of A, OfficeMax's acquirer, according to one source close to the matter.
Is mishandling customer information against the law?
Yes. The Federal Trade Commission has fined companies for mishandling consumer information, a violation of federal laws. It has investigated at least nine cases of companies that failed to protect consumers' confidential financial information, including ChoicePoint Inc., CardSystems Solutions Inc., and DSW Inc.
Will this breach have a long-term effect on the card industry?
Analysts debate whether the breach will rock the booming market for debit cards. Ms. Litan said the large-scale data theft "proves" that PIN debit is "less secure" than it used to be. Card companies "will probably raise PIN debit rates" - which are lower than signature debit ones - if they are convinced that PIN debit risk has increased. She also said the incident will make consumers wary of PIN.
Mr. Silva took the opposite view; he said that the breach most likely relied on "insider involvement," and that it remains difficult for criminals to access and decode PIN data.
Though the theft is large, such breaches are still very uncommon, he said. "Fundamentally, it's still true that PIN-based transactions are more secure" than signature-based transactions.
Fair Isaac's Mr. Urban comes down somewhere in between. He said similar incidents are likely to occur, though on a smaller scale.
For example, there have been cases where PIN information is compromised at specific PIN pads, he said. However, "PIN-based transactions are still, as far as I know, the most secure method of authenticating the cardholder."
Could there be other long-term ramifications?
It is too soon to tell how legislators and law enforcement agencies may respond, but past breaches have prompted legislators to call for changes.
When news broke in February 2005 that criminals had gained access to information held by ChoicePoint on 144,778 people around the country, the data storehouse company informed only the affected California residents, about 34,000 people, because of a state law requiring disclosure in such cases. Twenty states now have similar laws.
