About 1,300 debit-ATM cards issued by Fitchburg Savings Bank were deactivated yesterday after the bank was told by Visa USA that a “large-scale data compromise” may have included its check cards.
None of the cards was used fraudulently and all are being replaced, said Martin F. Connors Jr., bank president and chief executive officer. “If someone has the person’s information, at this point they can’t do anything with it,” he said.
Mr. Connors said he was aware of at least one other financial institution in Worcester County with far more cards affected by the security breach. A broader problem was confirmed by the Massachusetts Bankers Association yesterday.
“It appears that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data,” said Bruce E. Spitzer, an MBA spokesman. “Quite a few banks are replacing cards or notifying customers to be extra vigilant in monitoring their accounts. If a card needs to be reissued, the bank will do it.”
Another source indicated that the breach may be broader than Visa cards.
Mr. Connors said customers should receive new debit cards within a week. Cardholders may activate their new cards immediately by going to one of seven Fitchburg Savings Bank branches with proper personal identification and changing the PIN number on their new card. Or they can wait to receive a new preassigned PIN in the mail and follow the activation instructions, the bank said in a letter dated yesterday to customers.
The bank also recommended customers review their account transactions online, through a telephone banking system or when their paper statement arrives and report any suspicious transactions.
The problem at Fitchburg Savings is only with debit cards; the bank is not a direct issuer of credit cards, said Mr. Connors. If there was fraudulent use, a customer would be reimbursed and the bank would take action against Visa, he said.
Under Massachusetts law, consumers are liable for up to $50 if a debit or credit card is used fraudulently and there is no time limit in which to report the fraud, said David J. Cotney, chief operating officer for the state Division of Banks.
Visa is not required to report card security breaches to the state, said Mr. Cotney.
Visa is also not required to reveal the source of the breach to financial institutions.
Mr. Connors said the bank found out about the problem early yesterday and called in an emergency operations team at 7 a.m. to start card deactivation, which was completed by 9 a.m. The costs of such breaches are not inconsequential. Not only would the bank absorb any potential card losses, it will shoulder the costs of deactivation and card replacement, customer communications and the loss in fee income while cards are being replaced and not in use, said Mr. Connors.
Visa, MasterCard and others have mandated Payment Card Industry Data Security Standards for handling credit and debit card information. The requirements apply to members, merchants and service providers that store, process or transmit cardholder data. A spokesman for Visa said last night that he couldn’t provide any immediate information about the breach.