by David Lazarus
A data-security breach that resulted in numerous people having their debit cards canceled this week is actually much larger than first indicated.
As first reported in my Thursday column, an unspecified number of Bank of America customers have received letters warning that accounts may have been compromised "at a third-party location unrelated to Bank of America."
BofA has said only that the unnamed company is not a bank affiliate.
But well-placed sources within the banking and credit card industries now tell me that the company in question is a leading retailer in the office-supply business.
Those sources also place the total number of consumers affected by the security breach at nearly 200,000.
Washington Mutual confirmed Thursday that it too was involved in the breach and is replacing customers' debit cards.
Wells Fargo reiterated only that the bank protects customers "if we discover they are at risk for unauthorized transactions." However, multiple Wells Fargo customers told me they've received new debit cards from the bank via FedEx.
It's unclear at this point whether the retailer violated state law by not directly notifying customers of the breach, instead allowing customers to be ambiguously alerted by their banks.
State Sen. Jackie Speier, D-Hillsborough, a leading privacy advocate in Sacramento, said the spirit, if not the letter, of the law appears to have been violated.
"The intention of the law was not to create anonymous notifications," she told me. "It was to link the consumer with the company being breached."
Banking industry sources said they were notified last month by Visa and MasterCard that the computer system of a prominent merchant had been penetrated by a computer hacker, and that account information for thousands of customers had been endangered.
Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that the incident involved a U.S. merchant that "may have experienced a data security breach resulting in the compromise of Visa card account information."
"Upon learning of the compromise," she said, "Visa quickly alerted the affected financial institutions to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
Sharon Gamsin, a spokeswoman for MasterCard International, said the credit card company had been informed of "a potential security breach at a U.S.-based retailer."
"We have notified the banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders," she said, adding that MasterCard "will continue to monitor this event."
In any case, a serious issue raised by the incident is whether a business can avoid compliance with a California law requiring that customers be notified in the event of a security breach
State law requires that any company "that owns or licenses computerized data" must notify consumers if any personal info is "acquired by an unauthorized person."
The law defines ownership of data as being "part of the business' internal customer account or for the purpose of using that information in transactions with the person to whom the information relates."
Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said the retailer whose security was recently breached would be liable for notifying customers only if it was maintaining a database of account info and that database was compromised.
"Merchants clearly have notification requirements under the statute," he said. "The responsibility of this retailer is unclear based on the known facts."
But Ray Everett-Church, who runs a San Jose privacy consulting firm called PrivacyClue, said this position undermines the intent of the law, which took effect in 2003.
"Part of the intent of the law is for companies with lax practices to be held accountable," he said. "If they can hide behind card issuers, it calls into question whether merchants have a real incentive to improve their practices."
The law, Everett-Church said, "is intended to increase the risk for companies so they are encouraged to fix problems before they become bigger problems."
Speier agreed with this interpretation, observing that if the merchant in the latest case remains unidentified, its consequences for a serious security breach have been minimized.
"You're insulating that company from any downside or loss of business that might occur as a result of the breach," she said.
David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips or feedback to snipped-for-privacy@sfchronicle.com.
URL: