It's a mystery that's better suited for a schlocky Hollywood thriller starring Harrison Ford, but it's all too real -- the stealthy cancellation of thousands of debit cards from various banks, due to a data breach involving a still-unidentified "third party retailer."
Avivah Litan, security analyst for the Gartner research firm, has called the data breach the "worst hack ever," saying it represented a new and dangerous frontier for identity fraud: the mass theft of personal identification numbers (PINs) used to authorize debit card transactions.
Current theories on the data theft hold that either a retail merchant or a payment processor was holding stores of encrypted PIN data received during transactions, rather than erasing it after the transaction was completed.
As the theory has it, hackers then broke into the database storing the data, made off with it, and linked the PINs to fake debit cards, with which they promptly began making withdrawals from unsuspecting cardholders' accounts.
This may have led to the cancellation of Jake Appelbaum's card during his trip to Canada, which broke the story wide open. Appelbaum was told by Citibank that they had first noticed a series of fraudulent withdrawals in Canada, Britain, and elsewhere throughout Europe.
Appelbaum's story led to an explosion of reports of debit card cancellations all over the country, from customers of major banks and small credit unions alike.
What do all these debit cards have in common to make them vulnerable to such a massive data theft?
Plausible Deniability
At first, speculators claimed that the breach came from a major retail chain such as Wal-Mart, OfficeMax, or Office Depot.
Wal-Mart and OfficeMax both suffered different data breaches in Nov. 2005 that led to at least one credit union in California canceling and reissuing debit cards to its customers.
But both retailers flatly denied they were responsible for any breach that could have led to a hack of this magnitude.
Litan believes the fault may rest with a third-party payment processor, rather than a retailer.
Processors would have the most to lose from being "outed" as the victim of a breach, as in the case of CardSystems' failure to prevent hackers from accessing millions of Visa/MasterCard records in 2005.
History Repeats Itself?
So badly was CardSystems' credibility hurt that it planned to go out of business after Visa and MasterCard both stated they would terminate their relationships with the Arizona-based payment processor. Visa had stated it would end its relationship with CardSystems by Oct. 31st, 2005.
But the company won a reprieve from Visa, which agreed to continue working with CardSystems through Jan. 31st, 2006, as the company was targeted for buyout by rival payment processing company CyberSource.
CyberSource lost the CardSystems bid to PayByTouch, a California-based company specializing in biometric solutions for payment transactions.
Perhaps not coincidentally, several cardholders affected by the wave of debit card cancellations claimed their banks made the change based on a loss that happened between Nov. 2005 and Jan. 2006.
One cardholder told fraud-fighting blog the Consumerist that his wife's debit card was to be canceled and replaced, as she shopped at most of the retailers suspected in the breach.
"She uses her personal card for business transactions (she is reimbursed later) at all of the stores in your latest post. The letter that she got said the loss happened between Nov '05 and Jan '06," the cardholder wrote.
Many cardholders found their banks suddenly switching their cards from Visa to MasterCard as a result of the data hack. Others never used Visa cards, or any debit cards at all, but did shop with their credit cards at one of the retailers suspected of being involved in the hack.
One irate ConsumerAffairs.com reader wrote to tell us we were focusing on the wrong potential culprit.
"[It's] easy to make a scapegoat of CardSystems, since a retailer can find another processor," the reader said. "But Visa would never tell Wal-Mart that they couldn't take their cards...that would hurt revenue."
It's Not Over til It's Over
So who is responsible?
• Did CardSystems or another payment processor store individuals' PIN data sloppily?
• Did a major retailer snap up customers' debit or credit card information for marketing purposes, and forget to secure it?
• Is the industry covering up the scandal in order to ensure people keep pulling out the plastic?
Although federal authorities are claiming to investigate the data breaches, the public silence on the issue is leaving many consumers frustrated at the lack of transparency, and nervously wondering if they'll find their checking accounts drained or their cards abruptly canceled.
And according to Avivah Litan, the worst is yet to come.
"The banks are only halfway through this latest scam," she said in Gartner's report. "[This] will continue to affect large numbers of cardholders."