Missing Data On 650,000 Customers Related To Credit Card Fraud Surge?

On Tuesday we speculated that the surge in credit card fraud and forcible card reissues our readers have been reporting to us were the result of a recently discovered breach at a “major retailer,” and now GE Money Bank reported that the data of over 650,000 customers of JC Penney and hundreds of other retail stores is missing. Are these two events related? The official line is no. GE Money Bank says the data, which was stored on magnetic tapes, “was created in such a manner to make unauthorized access extremely unlikely and difficult, even for experts with specialized knowledge and technology.” But guess what?

You could say the same thing about the TJ Maxx data breach. In that case, people’s debit cards and PIN blocks were stolen. PIN blocks contain the PIN numbers you punch in at checkout, and they’re encrypted as well, most likely in a way to make “unauthorized access extremely unlikely and difficult.” But guess what again? Russian scammers were able to decode the PIN blocks and had cloned people’s debit cards and went on an ATM withdrawal spree. It’s not too far to think that motivated individuals might do the same with this magnetic tape. And there’s no better motivator than filthy lucre.

GE Money Bank said it took two months to access the tapes and reconstruct whose Social Security numbers were possibly compromised. The tape loss was discovered in October. When did our readers start noticing these credit card fraud problems? Late December. November, December, that’s also two months after October. So then, perhaps it also took our theoretical scammers two months to exploit the customer data.

It’s entirely possible that the events are not related, and that the surge in credit card fraud could be a collection of random identity theft blips that just happen to spike at the same time. But it seems odd that on Tuesday Citibank tells one of our readers that his card has to be reissued because a “major retailer,” had a data breach, “the kind of thing we would probably hear about in the news,” and then on Friday, blamo, JC Penney and hundreds of other retailers report a missing tape with the data on over a half a million customers.

PREVIOUSLY: “Major Retailer’s” Data Breach Results In Wave Of Credit Card Fraud?


Edit Your Comment

  1. MightyPen says:

    My mattress is looking more and more lumpy as the days go by.

  2. bohemian says:

    They sold people on debit cards and increased credit card use because it was dangerous to carry cash. If you carried cash you would get mugged or your purse stolen.

    Carrying cash is starting to look safer. Even if you don’t end up personally out the money having your card reissued is a total PITA. I incurred some financial problems (mostly late fees) and about 10 hours of my time tracking down what bill pays I had set up under my old card number and canceling them. Not to mention the embarrassment of having my card declined, that’s how I found out my card had been reissued. So glad I didn’t discover this while on a trip or something.

  3. SJActress says:

    GE Money Bank reported that over 650,000 customers of JC Penney and hundreds of other retail stores is missing.

    Customers are MISSING?! How did they track THAT?!

    Ahem, I believe you mean DATA of over 650,000 customers.

    Thanks for the post, though. Good read.

  4. youbastid says:

    @bohemian: So you’d rather just lose the money outright than to have to spend 10 hours getting it back?

    I still feel safer with a debit card. If I get mugged, or lose my wallet (more likely), I’ll never get the cash back. If my check card info gets stolen, I get everything back. All it takes is the due diligence to check your account online every couple days.

    Fearing actual identity theft is another thing, but there’s no amount of cash in a mattress that will keep you totally safe from that.

    PS – If you don’t want to deal with re-doing all the bill pays every time you have to replace your card, link the payee to your checking account. That number stays the same.

  5. mantari says:

    Strange… Chris Walters was just telling us a similar tale about stolen account information.

  6. varco says:

    I recently had my check cards changed for 2 different accounts. They sent us new ones with 2011 expiration dates a few months ago, but the old ones were good until 2009 so we kept them. Then they were suddenly canceled the old ones a couple of days ago with no warning.

    When I went in to get new cards, there were some other people getting new cards too, so I think it was a credit union-wide thing. I wonder if it is a security matter (we’ve also had a lot of local credit union-related phishing going on recently).

  7. Mapmaker says:

    Given how common identify theft seems to be nowadays, maybe there’s been a second, unannounced batch of stolen numbers. Or hell, three or four.

  8. 3drage says:

    California attempted to pass an assembly bill that would require retail stores to erase PII from their unsecured and primitive computer systems. Good ol Arnie and his retail buddies vetoed the law after it was passed by an overwhelming majority. Now your identity is in peril. I wonder who should be held accountable for it?

  9. brian25 says:

    It is against PCI Data Standards to store PinBlock, CVV, CVC2, Track1, or Track2 data from credit/debit cards. There is no reason for them to store the PinBlock data as it does not offer the customer extra convenience nor allow looking up old receipts via credit card numbers, which is what many retailers do (which I hope is in a SHA-256 hash at least).

  10. mmmcookie says:

    Now I know if I buy boring mid-western style clothing. My credit card # will be stolen. No to self no more “mom” jeans.

  11. oldnumberseven says:

    It is comical to me that the crime is called identity theft when it seems in many cases the bank, credit card company, retail store, etc… seem just happy to lose the data, or give it away. That should be a crime as well. The idiot that took all the records home on their laptop, the brain dead clerk who got socially engineered, a few of those chaps should be stuck fined, or in jail as well.

  12. Mr. Gunn says:

    Lots of downplaying of this news lately.

    The headline news is choosing to run with the ever-compelling “man closes himself, except he really didn’t, but theoretically could have, maybe, but that wasn’t really the objective anyways”.

    Local news had “11 year old boy robs pizza delivery guy”.

    Does no one in the media have any fucking balls anymore?

  13. Silversmok3 says:

    The technology “was created in such a manner to make unauthorized access extremely unlikely and difficult, even for experts with specialized knowledge and technology.”

    All these ‘experts’ need are functional legs and hands to grab the tapes,copy them,and walk out the door.
    Assuming that the crooks copied the data tapes ,since GE Money Bank still has the master copies ,they wouldn’t even know they got hit until people’s money started dissapearing.

    And their spin doctors make it seem like magnetic tape is ‘secure’. Crazy.