British financial giant HSBC is notifying 180,000 people in the United States that their credit information may be vulnerable to thieves.
The bank said data about customers who used its MasterCard credit cards to make purchases at a retail store may have been exposed.
HSBC said its card, the General Motors-branded MasterCard, was used at the retailer by approximately 180,000 customers. The bank blamed the antiquated point-of-sale (POS) system at the business, which may have left scores more credit card companies and shoppers vulnerable.
Under current laws and banking rules, financial institutions are not required to notify cardholders of the potential fraud.
"There is nothing wrong with the General Motors MasterCard," Tom Nicholson, a spokesman for HSBC, said. "It was the retailer's software system."
Nicholas said the point-of-sale systems (the machines running the cards system) at the retail stores were retaining credit information instead of "purging" it. The system is supposed to send information immediately to designated banks and then wipe it clean. Older software systems often retain the information and store it on site. The incidents occurred between June 2002 to December 2004.
Nicholas said the bank is continuing to evaluate the accounts to determine if they may have been affected, but added that there had been no reports to this point.
HSBC had not disclosed which retail store was involved but several published reports said it was a Ralph Lauren Polo store.
Visa USA released a statement saying it was aware of a data security breach that possibly compromised Visa credit-card account information and is "working with the merchant, law enforcement and the affected member financial institutions to monitor and prevent card-related fraud."
HSBC has mailed notification letters to 130,000 customers who shopped at the retailer, and expects the last 50,000 to be completed this week, said Nicholas. Holders of the HSBC General Motors MasterCard will be offered a new card at no cost.
The situation marks yet another high-profile incident where personal data has been stolen from retailers, universities and financial institutions. The growing reports have touched off public and political debate over who owns what information and how it should be cared for.
The scandal comes at a time when many institutions holding vital statistics on individuals seems to be vulnerable. As reported earlier this week by internetnews.com, information publisher Reed Elsevier said more than 300,000 people were exposed to scammers on its LexisNexis databases last month.
In February, credit-check company ChoicePoint
announced it had unwittingly handed over the information of 145,000 people
to thieves, and several incidents on university campuses last month exposed
tens of thousands of records.