Because of the presence of the trace utility program, the data was inadvertently saved, Litan said. Researchers now believe the data was stolen by a hacker who connected to OfficeMax computers over an open wireless connection, probably by someone using a laptop computer in a nearby parking lot, Litan said.

That alone would not have been enough to place customers at risk for fraudulent ATM withdrawals, because PIN codes are normally encrypted immediately as they are entered by consumers into store PIN pads. But special encryption keys for the data were stored on the same computer file that also stored the encrypted PIN data, Litan said — giving the criminals everything they needed to decode PINs, print fake ATM cards and withdraw money from anywhere in the world.

It's possible a third-party company was responsible for maintaining the computers used to process OfficeMax transactions, Litan said — the company hasn't revealed details about its transaction processes. But ultimately, the retailer that accepts the customer's personal information is responsible for keeping it safe, she said.

Story continues below ↓

OfficeMax has issued several statements saying it does not believe it has suffered a security breach. The company issued a statement last week saying a third-party security expert had conducted a thorough forensic analysis and concluded that the firm did not suffer a security breach.

But Soladay said OfficeMax had not contacted Fujitsu to discuss the situation, or to discuss the Visa warning about the payment software.

Incident highlights bigger problem
Despite laws in several states mandating disclosure of data leaks to impacted consumers — disclosures that became familiar after last year's high-profile data thefts at ChoicePoint Inc. and several other firms — no company has issued a disclosure in the wake of the recent wave of debit card and PIN theft. Consumers must discover the thefts from their bank accounts on their own and request refunds from their financial institutions within 60 days. Litan says while companies involved are blaming each other, consumers are getting hurt.

"It's terrible that all this is being delayed because no company wants to accept responsibility for liability reasons," she said.

While investigations into this most recent incident focus on OfficeMax, Litan said credit card issuers are concerned that hackers have found a weakness in the PIN-debit system and will continue to attack it at retailers.

The PIN-based magnetic card systems was designed to be limited to bank-controlled ATM machines, she said. PIN-based transactions are now increasingly common at retailers, partially because they pay lower fees for PIN transactions than credit card transactions. But that's opened the system to millions of additional points of attack. Retailers are generally less security-conscious than banks, she said. There are concerns, for example, that misused trace utility programs may be common.

"(Financial institutions) have told me they're concerned this is going to keep happening," she said.

< Prev | 1 | 2