Credit Card Issuer Discloses Retail Data Breach
The day after an April 13 Senate Judiciary Committee hearing on data security, the North American division of British credit card company HSBC PLC sent letters to 180,000 cardholders to inform them that their personal data may have been accessed via transactional data of a U.S. retailer, according to a report in yesterday's Wall Street Journal.The Journal identified the retailer as Polo Ralph Lauren Corp., though it said the company declined to comment and HSBC would not discuss specifics.
HSBC told the paper that the consumers who may be affected by the breach hold a General Motors-branded MasterCard and that the letters were sent last week.
MasterCard and Visa acknowledged that they were aware of the breach, had notified the banks that issue their cards and that cardholders were protected from fraudulent charges to their accounts.
The news follows the March 8 revelation that Retail Ventures Inc. subsidiary DSW Shoe Warehouse suffered a data theft affecting 103 of its 175 U.S. stores. The number of consumers affected was not revealed, but stolen data included credit card information and purchase data.
Bank of America confirmed Feb. 25 that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center.
The latest incident likely will strengthen legislators' resolve to pass new federal data protection regulation this year.
This week alone, Sens. Charles Schumer, D-NY, and Bill Nelson, D-FL, introduced an identity theft prevention bill that would create a Federal Trade Commission office of identity theft and require data providers to register with the FTC. Other provisions would institute safeguards to prevent fraudulent access to data and give consumers access and the option to fix errors.
The legislation also would mandate notice of third-party data disclosure and notification of data breaches. Provisions related to Social Security numbers would prohibit companies from asking for the numbers unless necessary for a transaction; prohibit display of Social Security numbers on employee IDs; ban the sale and purchase of the numbers except for law enforcement, national security and fraud purposes; and grant the attorney general the ability to define exemptions.
Also this week, Sen. Dianne Feinstein, D-CA, offered a revised version of the Notification of Risk to Personal Data Act that she first introduced Jan. 24. The original bill required mandatory notification when sensitive data are breached. The revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.
The flurry of legislation began when data providers ChoicePoint and LexisNexis suffered high-profile data breaches.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters
