David Paul may be the victim of a data breach. But he can’t be sure.
His bank sent him a letter recently with a new Visa credit card saying his information had been compromised, and he should update his automatic payment systems with the new card information.
According to Paul, the letter from US Bank said: "We have identified a potential risk to your account based on fraud patterns impacting a merchant or card processor.” When Paul, 58, and a computer systems engineer at UC Berkley, called inquiring about the source of the breach, no one could tell him. The Visa (V) card is issued through US Bank.
The Oakland, Calif., resident called the bank to inquire as to which merchant was the source of a potential fraud concern so he could modify his future purchases, but the representative wasn’t able to tell him. He says the worker first put the blame on Target (TGT), which suffered a massive data breach over the holiday season, and then Neiman Marcus, who had got breached late last summer.
But Paul told the person at the bank he hadn’t shopped at either of the retailers during the times of the breaches.
Paul says he pressed the bank, but no one was able to tell him the source, and was told Visa wouldn’t give the bank that information.
FOXBusiness.com reached out to US Bank for comment, and the bank directed all questions to Visa.
“I wasn’t too surprised they wouldn’t tell me, but it bothered me that they had two scapegoats with the Target and Neiman breaches,” Paul says. “Being in the computer business, I know how prevalent and easy it is to put hacker software on the computer. But I am a little surprised how easy it is to put hacker software on a point-of-sale system and gather that data.”
FOXBusiness.com reached out to Visa about Paul’s situation and another potential breach, and a spokesperson was not able to elaborate more on any potential activity and said the company can’t reveal the source of the potential breach while investigations are still ongoing.
“We also believe that the public interest is best served by quickly notifying financial institutions with the information necessary to protect themselves and their cardholders from fraud losses. Even a slight delay in notification to financial institutions could be costly,” the spokesperson said in an e-mail statement. “Visa works with the breached entity to collect the necessary information and provides payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring, and if needed, reissuing cards. The most critical information needed is the affected accounts, which Visa works to provide as quickly as possible.”
The spokesperson also said in the statement it would be “unfair” to identify a single source of a compromise before a criminal and forensic investigations are complete. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa and law enforcement. It’s also important to recognize that law enforcement may request that the name of the compromised entity not be disclosed before the investigation is complete, as it has the potential to tip off the fraudsters and interfere with the criminal investigation,” the statement said.
But as a customer, Paul says he has a right to know. Earlier this week, Attorney General Eric Holder called on Congress to create a national fraud and breach alert system to help to more quickly alert consumers if their information was potentially compromised. There are currently data breach notification laws across 46 states and the District of Columbia, but there isn’t a national federal law in place.
For example, Target’s breach was tipped off by cyber security expert Brian Krebs, who heard about the breach from banks who were dealing with credit card issues.
“I think part of my frustration too is that it’s very easy for Visa, and the banks to control and sell your information, but when the tides are reversed, it’s not that easy,” Paul says.
But Rob Sadowski of RSA, a cyber security firm, says it’s not that simple, and Visa may not know where the breach originated. “They don’t want to jeopardize an ongoing investigation,” he says. “In some cases, they may know there was a potential card fraud, but might not even know where it occurred.”
And in California, where Paul lives, California Bill SC 1386, which covers card fraud notification, states, “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
That being said, Sadowski says he sympathizes with Paul’s frustrations as a consumer. He says the situation is common, but there is some good news: consumers do in many cases find out the source of the breach.
“The issuing bank is looking to stop fraud as quickly as possible, but the full investigation takes time,” he says. “It’s this lag in timing around the investigation, if [Paul] was notified where the breach occurred, that could give criminals time to cover their tracks.”