A payment-card information breach at Wal-Mart Stores Inc.'s Sam's Club division likely exposed the data of many more customers beyond the several hundred fraud victims cited by the retailer in a statement late last week.
Wal-Mart, MasterCard International, and Visa U.S.A. all declined to provide details beyond brief statements, including any estimate of the number of customers whose account data had been exposed. Sam's Club said the breach left "approximately 600" known fraud victims in its wake. But interviews with numerous bankers the card companies have contacted about the incident, as well as other industry observers, make clear that the number of data files compromised was probably much higher.
Leon Major, president of payments consulting firm ESP Consulting, a Salisbury, Md., division of Phoenix Marketing International of Rhinebeck, N.Y., said the number of cards exposed "has to be in the thousands, or tens of thousands."
According to Sam's Club's statement, issued Friday evening, the retailer is "working closely with Visa and MasterCard to investigate" the frauds, which hit cardholders who made purchases at Sam's Club gas stations between late summer and Oct. 2. The statement said the probe began after issuers reported fraudulent charges. Both credit and debit cards were involved, bankers said, and compromised data came from cards' magnetic stripes.
Executives at issuing banks say Visa sent them notifications last week that certain accounts were at risk as a result of the breach. Visa's memo, which was sent before the retailer's disclosure, did not mention Sam's Club by name, but most of the issuers said they believed it concerned the Sam's Club breach. Some issuers also said they received a notice from MasterCard.
According to these bankers, the associations urged the issuers to guard against unusual activity in the compromised accounts, even though only a relatively small number of fraud cases had been attributed to the incident.
One banker said that Visa's memo said the frauds occurred in Illinois, New York, Maryland, California, Spain, and Korea.
Sam's Club said it had contacted the U.S. Attorney's Office for the Western District of Arkansas and the U.S. Secret Service. Wal-Mart's headquarters is in Bentonville, Ark.
Leton L. Harding, executive vice president of First Bank and Trust Co. of Abingdon, Va., said that he was notified by Visa on Nov. 30 that 368 of his customers' Visa Check card accounts had been exposed.
Sue Hall, compliance officer for Empire Federal Credit Union of Syracuse, N.Y., said "under 300" of its accounts were exposed. She said the credit union is sending letters to members affected. They can opt to have cards reissued or have their accounts monitored.
Ms. Hall said Empire Federal made no effort to determine which merchant had the breach, though she said she was aware of the Sam's Club announcement. "We don't ever go back and try to figure out where it is. To us, it doesn't matter .... We just feel that any of our members that are potentially compromised should be notified," she said.
Ms. Hall said the card companies send Empire Federal such warnings sporadically. "You can go months without receiving any, and you can receive a couple in a month."
Mike Marzec, manager of electronic banking for First Horizon National Corp., said "there have been a couple of hundred banks Visa has had to call for this." He said some customers had been exposed, though he didn't know how many.
Libby Hutchinson, a spokeswoman for Washington Mutual Inc., said it had been notified that "there were two card issuers that have the bulk of the impact," and that Wamu is not one of them. She did not know their names.
Stephanie Hagen, a spokeswoman for Fifth Third Bancorp., said that both Visa and MasterCard had notified the Cincinnati banking company that some of its accounts were at risk, though her company was still researching the incident and she could not say how many customers had been affected.
Jessica Iben, a spokeswoman for JPMorgan Chase & Co. said, "We were recently informed of a security breach at Sam's Club, and we're cooperating with both Sam's Club and law enforcement with their ongoing investigation. We're investigating any possible exposure."
Marty Heires, a spokesman for Wal-Mart, would not elaborate beyond the statement. He referred questions to a Sam's Club spokeswoman, who did not return calls.
First Bank And Trust's Mr. Harding said Visa declined to tell him the number of accounts that had been exposed, and that not knowing the full extent had made it difficult for his company to decide whether to reissue the affected cards. "I just want to know the breadth and scope of this thing," he said, to "make a business decision" about whether to reissue the cards or to monitor the accounts more closely.
He said about 300 of his company's accounts were affected in the CardSystems Solutions Inc. breach that exposed some 40 million accounts. He opted not to reissue, because he felt the fraud risk was slim.
