[ISN] Visa cards violated: BofA is reissuing after hack attack

Mon Apr 19 04:59:20 EDT 2004

http://business.bostonherald.com/technologyNews/view.bg?articleid=439

By Jay Fitzgerald
April 16, 2004

Holders of Fleet Visa business credit cards may be the latest victims
of hackers who possibly got hold of sensitive card numbers via a
merchant's computer system, officials acknowledged yesterday.

Fleet Credit Card Services, now part of Bank of America [BAC:  chart,
news] Corp. after this month's takeover of FleetBoston Financial Corp.
[FBF: chart, news] , is sending new cards to an unspecified number of
customers because of a security breach at an unnamed merchant.

Deborah Pulver, the spokeswoman, wouldn't say how many customers will
get new cards and account numbers.

``It's a very small portion of our business accounts,'' she said.  
``There was some type of compromise'' apparently tied to Visa.

In a statement to the Herald yesterday, Visa USA confirmed that it was
``recently notified by a U.S. merchant that it may have experienced a
data security breach resulting in the compromise of Visa card account
information.'' A Visa spokesman would not elaborate.

Officials declined to say if the latest incident is tied to a recent
theft of credit card numbers at Natick-based BJ's Wholesale Club Inc.
On March 12, BJ's warned that a ``few hundred'' of its 8 million
members had their credit card numbers stolen in a possible systems
breach.

Citizens Bank, Washington Trust Bancorp, of Rhode Island, and Navy
Federal Credit Union in Virginia were among the firms that issued new
credit cards and account numbers after BJ's disclosure.

Amy Russ, a BJ's spokeswoman, said yesterday that she couldn't comment
on the matter.

Douglas Devitt, a co-owner of Voyager Sound Inc., a Weston software
developer, said he recently got a letter, dated April 9, from Fleet
saying his Fleet Platinum Visa business card account may have been one
of those obtained by an ``unauthorized party.'' The letter stresses
that there's no actual sign of ``fraudulent activity'' in the account,
but that the card would be replaced anyway.

Devitt said he's a member of BJ's, but had never used that specific
Fleet card at BJ's. About a month ago, he said, Fleet issued him a new
business credit card due to a possibly unrelated fraud case in which
his account was improperly charged $1,200.

Now Fleet is replacing his card for the second time in a month, he
said. ``I'm just glad someone is watching out'' for his interests, he
said.

Devitt said he talked to one person at Fleet who told him that the
latest incident involved ``Nigerian mafia'' hackers. But Fleet's
Pulver said there was no Nigerian connection to her knowledge.

Richard Smith, an Internet security consultant in Brookline, said he
knows no details about the BJ's and Fleet incidents.

But he said merchants in general are often the ``weak link'' in the
credit-card security system. ``The credit-card system has many players
involved,'' he said, noting there have been infamous cases of Russian
and Eastern European hackers stealing U.S. credit card numbers.