On Tuesday we speculated that the surge in credit card fraud and forcible card reissues our readers have been reporting to us were the result of a recently discovered breach at a “major retailer,” and now GE Money Bank reported that the data of over 650,000 customers of JC Penney and hundreds of other retail stores is missing. Are these two events related? The official line is no. GE Money Bank says the data, which was stored on magnetic tapes, “was created in such a manner to make unauthorized access extremely unlikely and difficult, even for experts with specialized knowledge and technology.” But guess what?
You could say the same thing about the TJ Maxx data breach. In that case, people’s debit cards and PIN blocks were stolen. PIN blocks contain the PIN numbers you punch in at checkout, and they’re encrypted as well, most likely in a way to make “unauthorized access extremely unlikely and difficult.” But guess what again? Russian scammers were able to decode the PIN blocks and had cloned people’s debit cards and went on an ATM withdrawal spree. It’s not too far to think that motivated individuals might do the same with this magnetic tape. And there’s no better motivator than filthy lucre.
GE Money Bank said it took two months to access the tapes and reconstruct whose Social Security numbers were possibly compromised. The tape loss was discovered in October. When did our readers start noticing these credit card fraud problems? Late December. November, December, that’s also two months after October. So then, perhaps it also took our theoretical scammers two months to exploit the customer data.
It’s entirely possible that the events are not related, and that the surge in credit card fraud could be a collection of random identity theft blips that just happen to spike at the same time. But it seems odd that on Tuesday Citibank tells one of our readers that his card has to be reissued because a “major retailer,” had a data breach, “the kind of thing we would probably hear about in the news,” and then on Friday, blamo, JC Penney and hundreds of other retailers report a missing tape with the data on over a half a million customers.