British financial giant HSBC is notifying 180,000 people in the United
States that their credit information may be vulnerable to thieves.
The bank said data about customers who used its MasterCard credit cards to make purchases at a retail store may have been exposed.
HSBC said its card, the General Motors-branded MasterCard, was
used at the retailer by approximately 180,000 customers. The bank blamed the
antiquated point-of-sale (POS) system at the business, which may have left scores
more credit card companies and shoppers vulnerable.
Under current laws and banking rules, financial institutions are not
required to notify cardholders of the potential fraud.
“There is nothing wrong with the General Motors MasterCard,” Tom
Nicholson, a spokesman for HSBC, said. “It was the retailer’s software
Nicholas said the point-of-sale systems (the machines running the cards
system) at the retail stores were retaining credit information instead of
“purging” it. The system is supposed to send information immediately to
designated banks and then wipe it clean. Older software systems
often retain the information and store it on site. The incidents occurred
between June 2002 to December 2004.
Nicholas said the bank is continuing to evaluate the accounts to
determine if they may have been affected, but added that there had been no
reports to this point.
HSBC had not disclosed which retail store was involved but several
published reports said it was a Ralph Lauren Polo store.
Visa USA released a statement saying it was aware of a data security
breach that possibly compromised Visa credit-card account information and is
“working with the merchant, law enforcement and the affected member
financial institutions to monitor and prevent card-related fraud.”
HSBC has mailed notification letters to 130,000 customers who
shopped at the retailer, and expects the last 50,000 to be completed this
week, said Nicholas. Holders of the HSBC General Motors MasterCard will be
offered a new card at no cost.
The situation marks yet another high-profile incident where personal
data has been stolen from retailers, universities and financial
institutions. The growing reports have touched off public and political
debate over who owns what information and how it should be cared for.
The scandal comes at a time when many institutions holding vital
statistics on individuals seems to be vulnerable. As reported earlier this
week by internetnews.com, information publisher Reed Elsevier said more than 300,000 people were exposed to
scammers on its LexisNexis databases last month.
In February, credit-check company ChoicePoint
announced it had unwittingly handed over the information of 145,000 people
to thieves, and several incidents on university campuses last month exposed
tens of thousands of records.