Want CNET to notify you of price drops and the latest stories?

Web of intrigue widens in debit-card theft case

Wal-Mart acknowledges a breach but OfficeMax's role is uncertain in a case that has resulted in 200,000 cards being canceled.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
3 min read
An investigation into thousands of compromised debit cards that was widely reported this week appears to involve two of the nation's largest retailers, according to multiple law enforcement and banking sources.

This week, two major banks joined a credit union in canceling a combined 200,000 accounts belonging to debit-card holders. In letters to affected customers, Bank of America and Washington Mutual said they were canceling debit cards because of a security breach at a "third-party" location. Officials from both banks and law enforcement agencies have refused to identify the location.

Sources now say that the case might involve two separate retail chains--one which has ackowledged a problem and another whose possible role is uncertain.

After receiving a call from CNET News.com about the investigation into the 200,000 canceled credit cards, a Wal-Mart media representative refused to answer questions but called attention to a statement released by the company on Dec. 2, 2005. In the statement, Wal-Mart acknowledged that credit cards used by some customers who bought gas at the company's Sam's Club stations between Sept. 21, 2005, and Oct. 2, 2005, were compromised. Many Sam's Clubs also accept debit cards.

There are more than 500 Sam's Clubs in the United States, according to information on Walmart.com, but it is unclear how many sell gas. The December statement also did not say whether the security breach was restricted to any region.

"The investigation began when the credit card issuers reported that some cardholders were reporting fraudulent charges on their statements," Wal-Mart said in its press release. "It is still in its preliminary stages, with no determination on how the data was improperly obtained."

Bentonville, Ark.-based Wal-Mart also said it had reported the case to the U.S. Attorney?s Office and the Secret Service.

But the trail doesn't end with Wal-Mart, said sources close to the investigation. As investigators began to look into the recent rash of unauthorized charges, they found that a large number of people whose debit cards were compromised had one thing in common: they previously had shopped at office-supply chain OfficeMax, said a banking source familiar with the case. Two law enforcement sources also said OfficeMax is part of the investigation but did not provide details.

None of the sources, who requested anonymity due to the ongoing investigation, knew for certain whether OfficeMax had suffered a security breach.

"We have not suffered any security breach to our knowledge," OfficeMax spokesman William Bonner said Friday.

According to one banking official close to the case, OfficeMax has been queried by at least one financial institution about the matter.

"This is why we don't reveal the names to the public," said the banking official who requested anonymity. "We're not sure which customers may have been ripped off in the Wal-Mart deal or whether OfficeMax was the problem."

The case is being investigated by the FBI and Secret Service, said FBI Special Agent John Cauthen, who works out of the bureau's Sacramento office. Cauthen declined to comment on Wal-Mart or OfficeMax.

Cauthen said Friday the FBI is working on a debit-card fraud case that was first reported by The Sacramento Bee last November. In that case, the Golden 1 Credit Union canceled about 1,500 debit cards after being alerted to possible fraud in the Sacramento area.

The credit union told customers that the fraud resulted in "counterfeit cards being made and used internationally." Golden 1 told the Bee that it closed accounts after discovering unauthorized withdrawals at ATMs in Great Britain, Russia and South Korea. Golden 1 also said that not all the debit cards cancelled had unauthorized withdrawals on them, but all were used at an unidentified Sacramento business in the fall of 2005.

Someone working for that merchant is suspected of pilfering account and personal identity numbers from the cards, the Bee reported.