Scores of Bank of America and Washington Mutual customers have received notifications from the banks that their debit cards were cancelled because of a breach at a "third-party" establishment. In interviews with CNET News.com, neither bank would disclose the name of the unidentified company.
However, law enforcement and banking sources, who asked for anonymity, told CNET News.com that the unidentified business was one of the big-box retailers.
Another law enforcement official, FBI Special Agent John Cauthen, said the bureau is part of a joint investigation into the matter along with the Secret Service.
Cauthen said the FBI believes the case is tied to a security breach first reported in The Sacramento Bee last November. In that case, the Golden 1 Credit Union canceled about 1,500 debit cards after being alerted to possible fraud in the Sacramento area.
The credit union told customers that the fraud resulted in "counterfeit cards being made and used internationally." Golden 1 also said that not all the debit cards cancelled had unauthorized withdrawals on them, but all were used at an unidentified Sacramento business in the fall of 2005.
Someone working for that merchant is suspected of pilfering account and PIN numbers from the cards, the Bee reported.
In a phone interview, Cauthen said the FBI and Secret Service are "working what appears to be the same debit-card case."
News of a wider problem arose this week when The San Francisco Chronicle wrote that Bank of America had begun canceling numerous debit cards. On Friday, the paper reported that as many as 200,000 debit-card holders could be affected.
Replacing the cards likely will cost the bank millions, as replacing debit cards costs about $20 apiece, according to Dan Clements, CEO of CardCops.com, an identity theft watchdog group.
"I've not seen debit cards stolen like this," Clements said. "Usually it's a combination of credit and debit cards...this is a large hack, no question about it. Quite frankly, this is the first piece of the puzzle hackers need to commit full-blown identity theft on consumers."
The past year has seen some large credit card heists. In June, an estimatedwhen hackers penetrated the online defenses of CardSystems Solutions, a payment-processing company.
Other companies to be victimized by electronic intruders include Bank of America, Wachovia, ChoicePoint and LexisNexis, as well as several universities:, Stanford and the University of California at Berkeley.