Card Canceled After Target Data Breach Hit With Fraudulent Charge Anyway

The massive holiday season Target data breach is the gift that just keeps on giving consumers more headaches. Replacing a compromised card may not be enough to prevent fraud, it turns out: criminals may still be able to charge purchases to your old account even if you thought it was closed.

That’s what happened to reader April from New York state. She shopped at Target with her Capital One-issued Visa card in November and December. After the hack came to light, Capital One issued her a new card with a new number and April thought that would be the end of it.

But this week, she writes, there was something suspicious on her statement: “I noticed a charge for nearly $200 at CVS, at a branch I’ve never been to,” April explained. “I confirmed with my husband that he did not drive 45 minutes to go to CVS, then called CapOne.”

During the call, it occurred to April to ask which credit card number had been used: her new one, or the card that was canceled after the Target hack. The customer service rep confirmed it was the old card, not the new one, that had been used. April continued:

“[The rep] explained that Visa allowed the transaction because I am a frequent CVS shopper (there is one up the street from my house). It didn’t matter that I’ve never been to this CVS before. She also explained that reoccurring charges for utilities, etc., would likely [continue to] go through if I hadn’t updated the card number on their websites.”

April added that Capital One told her the old card number would remain active for a week after her replacement card was issued, but the fraudulent charge occurred a month later, she said.

When we asked Capital One about April’s situation, a representative from the company stressed to Consumerist that they “made the decision to proactively reissue cards that were used at Target during the compromise window even though fraud had not yet been detected,” and that April was one of those customers who received a new card. They also added:

In order to minimize inconvenience for our customers, we allowed old cards to remain open for about a week after receipt of the new card before the old one was shut down to allow customers time to transition to the new card, reinstate recurring transactions, etc. Again, this was to avoid or minimize any disruption to our customers (who up until that point had not experienced any fraudulent activity on their card).

The spokesperson added that customers were notified in January that their new cards were coming, and the new cards were sent and received in late February, so the March 8 fraud on April’s card fits into that window. (Even though March 8 is more than a week from even the last day of February.)

CapOne did make sure April was not responsible for the charges to her card. Still, “I am annoyed,” April said. “[Customer service] just told me to keep checking my statements and to report any further fraudulent charges. What is the point of the new card if the old one is still usable by the criminals?”

Millions of other consumers are potentially in the same boat as April. In addition to Capital One, Citi and Chase also replaced some customers’ cards, as have many smaller banks. But the Target hack was so big that the sheer volume and cost means it’s taking a while to get new cards into customers’ hands. And even when those new cards are issued, the transition from old number to new clearly isn’t always seamless.

So remember: even if you or your bank have canceled a card you think is compromised, it never hurts to keep a sharp eye on your statements and take common-sense steps to protect your accounts.

Read Comments2

Edit Your Comment

  1. Saber says:

    A cancelled card can still be used for PIN-based transactions, too, even if it’s “turned off” (if the PIN stays the same) and if someone has the CVV code, they can still be used for ‘swipe/pos’ transactions as well. Even though the banks have told everyone that cancelling the cards will do everything, not changing the PIN or the CVV can have serious repercussions to customers.

  2. LooseSasquatch says:

    This is why whenever I cancel a card, I make 2 phone calls. The first one, I report the card lost/stolen and say that I need a new card number. Then I call back the next day or go online and cancel my account. This way, any transactions that are attempted on the old number, the credit card company pretty much assumes might be fraudulent and denies them.

    Ever since I did this on my VISA check card when I cancelled my checking account when I got married a few years ago, I’ve never had any issues with zombie cards/accounts. I even told the bank that my checkbook was lost so they literally changed my bank account number so it couldn’t zombie attack me from a direct debit attempt. Social engineering FTW!