OfficeMax at center of major data-security breach with debit cards

February 14, 2006

By David Lazarus

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/14/BUGGQH7QK21.DTL



OfficeMax is the Northern California retailer at the heart of a major data-security breach affecting as many as 200,000 consumers, banking and law-enforcement sources confirmed Monday.

They also said investigators are exploring the possibility that the Russian mob or another Eastern European crime syndicate is responsible for accessing U.S. consumers' debit-card numbers and selling counterfeit cards on the black market worldwide.

Bill Bonner, an OfficeMax spokesman, said that to the best of his knowledge, no security breach had occurred at any of the Illinois company's Northern California outlets.

"I just can't say that happened," he said.

Still, Bonner declined to comment on whether OfficeMax is cooperating with the FBI and Secret Service on their investigation into the debit-card theft.

"I can't make any comment on any law-enforcement investigations," he said, adding that "we're trying to be responsible and not create any kind of panic."

Four well-placed sources in the banking industry said it's possible that OfficeMax can't yet say with certainty that a breach occurred because it often takes investigators time to piece together a hacker's electronic trail.

But they said there's no doubt that OfficeMax has made its computer system available to federal authorities for their investigation.

Special Agent Karen Ernst of the FBI's Sacramento office declined to discuss details of the case.

"It's an ongoing investigation being worked jointly with other agencies, including the Secret Service," she said.

Numerous banks have replaced customers' debit cards in recent weeks, including Bank of America, Wells Fargo and Washington Mutual.

An executive at one leading bank told me he spoke with senior officials at OfficeMax shortly after news of the security breach broke in this column last week.

He said he was surprised by the bank's decision to remain silent on the matter. "I warned them point blank that they have to get out in front of this," the exec said.

It appears that a hacker penetrated the computer network of an OfficeMax outlet in Sacramento last fall, sources said.

They said the hacker may have gained access to account information for as many as 200,000 customers, potentially downloading people's names, debit-card numbers and secret codes used to validate transactions.

Bank officials said bogus charges related to the incident have cropped up throughout Europe and Asia. Many have originated in former Soviet bloc countries.

This has raised investigators' suspicions that the Russian mafia or another Eastern European crime syndicate is behind the OfficeMax breach, sources said.

In September 2004, a senior FBI official, Steven Martinez, testified before Congress that the bureau's Internet Crime Complaint Center, or IC3, had noticed an increasing number of cyber crimes involving Eastern Europeans.

"The FBI, through the IC3, has observed a continuing increase in both volume and potential impact of cyber crime with significant international elements," he said.

"Identifying such trends, as well as formulating an aggressive and proactive counterattack strategy, remains a fundamental objective of the FBI's Cyber Division."

It's unclear when the OfficeMax hack actually occurred. Banking industry sources say they believe authorities were made aware of the situation in December.

But they acknowledge that consumers' personal info could have been endangered well before this time.

Oakland resident Alicia Vagts, 34, illustrates this possibility. She discovered in October that someone in Estonia was running up about $2,500 in fraudulent charges on her Washington Mutual debit card.

"I barely knew where Estonia was," she said. (It's on the Baltic Sea, right next to Russia.)

Asked if she ever shops at office-supply stores, Vagts said she was a frequent customer of OfficeMax while attending law school in Sacramento.

"I was there all the time, buying things for school," she said.

A Washington Mutual spokesman said it's not yet known whether Vagts' case is linked to the security breach now being probed by federal investigators or was a separate incident.

He and other bank reps said financial institutions are being extra cautious in this latest case, replacing debit cards not just for OfficeMax shoppers but also for an unspecified number of other people who may never have visited the retailer.

But OfficeMax is the common denominator for most consumers affected by the security breach.

San Francisco resident John Wilson, 52, said he has no doubt why he got a new card in the mail this week.

"OfficeMax is the only office-supply store I've gone to where I've used my debit card for the past two years," he said.

This isn't the company's first brush with fraud in Northern California.

Last month, a former worker at the OfficeMax outlet in the Alameda Towne Centre was arrested for allegedly using a customer's credit card number to pay about $1,000 in cell-phone bills.

Sgt. Dennis Hart of the Alameda Police Department said the suspect, Oakland resident Chantalle Adrianna Allen, 19, admitted the theft after being taken into custody.

He said the card in question belonged to the Odd Fellows, a fraternal organization. A member of the group had purchased office supplies at OfficeMax in December.

[an error occurred while processing this directive]