Bank of America refused to release the name of the company involved, the exact number of customers affected or whether the company in question was online or a traditional brick-and-mortar establishment.
The case is unusual in that debit cards appeared to be at risk. Credit cards areat financial institutions because they are used more often than debit cards for retail transactions.
"These are intricate matters...and may involve information that is not exactly clear and concise," said Michael Chee, the bank's spokesman. "It would be premature to discuss any third parties until an investigation is conducted."
Chee said that to this point, there is no evidence that any of its customer accounts have been compromised. The move to cancel debit cards was a precaution, he said.
An investigation is under way, Chee said, but he added that he was unaware of what law enforcement agency was overseeing it.
Bank of America issued letters to many customers notifying them of the breach and that their debit cards were no longer good. The bank is also telling customers to watch out for any unauthorized transactions on their statements.
"As a proactive security-minded effort, we may take steps to replace people's cards," Chee said. "We know this can represent a minor inconvenience. The question is, would we rather risk inconveniencing customers and protect their information and accounts, or do we just do nothing?"