Customer data theft from major retailers is becoming so commonplace that many consumers are starting to think it’s no big deal.
But for the banks and credit unions that have to cover losses associated with data thefts such as the massive, suspected breach at Home Depot stores, the growing frequency and scope of such crimes has become a major concern, industry representatives said.
Though the Maine Bureau of Consumer Credit Protection hasn’t received reports of fraudulent activity related to the latest suspected breach, representatives of the state’s financial institutions say there is evidence Mainers’ credit and debit cards already are being hijacked by criminals.
And that has them scrambling to address cardholders’ concerns and press Home Depot for information about what exactly was stolen.
“We are seeing fraud in Maine that we believe is associated with Home Depot,” John Murphy, president of the Maine Credit Union League, said without providing details.
On Friday, shoppers at Home Depot in Portland seemed unfazed by the possible theft of millions of the retailer’s customer credit and debit card numbers, including more than 52,000 in Maine.
“I’m not too worried,” Rockland resident Celena Cerovski said. “I’ve had my credit card information stolen before, and it’s always covered.”
Cerovski said that other than checking her Discover card statement more frequently, news of the data heist isn’t likely to change her behavior as a consumer.
“It probably won’t affect my choices,” she said. “I’ll probably still shop here (at Home Depot).”
The debit and credit card numbers believed to have been stolen from Home Depot locations in Maine were part of a suspected recent, nationwide data breach, although as of late Friday the retailer had not confirmed its point-of-sale system was hacked.
On Tuesday, millions of credit and debit card numbers were for sale on a well-known Russian hacker’s website, including at least 52,350 numbers listed as being stolen from 11 Maine ZIP codes in which Home Depot stores are located.
The total volume of U.S. card numbers for sale since the suspected Home Depot breach is unknown, but it is believed to be in the tens of millions, according to security analysts. About 40 million numbers were stolen in last year’s breach at Target stores, they have said.
Despite the scope of the recent security breaches and the huge potential for misuse of consumers’ financial data, most shoppers at Home Depot were finding it hard to get worked up about it.
“I think nowadays we’re getting kind of desensitized,” said Home Depot shopper Kurt Hein, a Portland resident.
Hein plans to keep using his debit card to make purchases despite the risk of data theft. In fact, he said, it’s almost certain that his data will be stolen.
“I think everybody’s pretty vulnerable at this point,” he said. Like Cerovski, Hein plans to pay close attention to his bank statements and respond quickly to any fraud alerts issued by his bank.
Maine banks and credit unions are expecting to suffer millions of dollars in losses as a result of the breach, said Murphy, the credit union league president. The primary costs will be associated with reimbursing cardholder losses and issuing new cards, he said.
Those costs will be passed on to consumers in some form, Murphy said, such as higher fees or interest rates.
“Ultimately it’s the customers that pay for it,” he said.
The total cost to financial institutions and their customers from the recent Target data heist has yet to be determined, but a 2008 survey by the Maine Bureau of Financial Institutions in the wake of the Hannaford and TJX data breaches found that related losses were in the millions, bureau superintendent Lloyd LaFountain III said.
The survey, in which 75 Maine banks and credit unions participated, found that losses to those institutions reached more than $2 million, most of it from the Hannaford breach.
Of the 75 respondents, all but four said they had been impacted by the data theft.
In all, Maine financial institutions said they had to reissue nearly 250,000 credit and debit cards at a total cost of about $2.1 million. More than 315,000 customer accounts were affected, they said.
Banks in Maine already were busy dealing with the fallout from recent data breaches at Shaw’s supermarkets and Otto pizza restaurants when reports surfaced about the Home Depot heist, said Christopher Pinkham, chief executive of the Maine Bankers Association.
Those crimes have cost Maine banks more than just money, Pinkham said.
“I think the greater frustration is that we have a lot of devoted employees who are scrambling at this time,” he said.
The problem is likely to get worse, at least until banks and retailers adopt a new point-of-sale system in fall 2015 that involves microchips embedded in cards as an added security feature, Pinkham said. And even that system will not be foolproof, he said.
“The bad guys are really sophisticated,” Pinkham said. “This is highly organized, highly technical theft.”
The losses associated with data theft have pitted financial institutions against retailers in disputes over liability, he said. Both sides want the other to be held responsible.
For now, the burden lies almost solely on banks and credit unions, Pinkham said.
“It’s frustrating when the retail industry in some ways wants to portray themselves as a victim,” he said.
At least one Home Depot shopper on Friday said he was not taking the recent data breaches lightly.
Falmouth resident Keith Wegener doesn’t understand why so many consumers have failed to take added precautions with so much fraud happening.
Wegener’s solution has been to use a debit card tied to a separate checking account into which he only deposits the amount needed to make each purchase.
“It would almost be an accomplishment if someone stole my debit account thinking they were going to make it to Beirut,” he said.
Send questions/comments to the editors.
Comments are no longer available on this story