, SecurityFocus 2006-03-31
The U.S. Secret Service arrested seven people across the nation this week as part of an ongoing investigation that has turned up links to the massive debit-card breaches which have worried banks and consumers.
The investigation, dubbed Operation Rolling Stone, has resulted in 21 arrests in the last three months and involves local, state and international law enforcement. The online uncover operation targets Internet criminal groups that "threaten our financial infrastructure," Jonathan Cherry, spokesman for the U.S. Secret Service, told SecurityFocus.
"Rolling Stone is an ongoing and active operation in its initial phase with future coordinated arrests expected as the operation continues," Cherry said.
The operation could also shed some light on--and even lead to the perpetrators of--several massive debit-card data breaches that have left millions of consumer bank accounts at risk. Over the past two months, widespread debit-card fraud has led to a search for the sources of the breaches. Three major incidents in the last six months--a breach associated with OfficeMax, another with Sam's Club and a third compromising an ATM network--have likely all contributed to the current uptick in fraud.
Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.
"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers," he said.
Over the past two months, a spate of debit-card fraud has worried consumers and banks. While no company has come forward to claim responsibility as the source of the data fueling the fraud, three major breaches in the last six months are likely responsible, according to sources in the banking industry.
A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. In its annual report published last earlier in March, OfficeMax warned investors that the situation could hurt its results.
"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."
Last December, Sam's Club, a subsidiary of Wal-Mart, acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. While the retailer has only acknowledged those cases, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives. A Sam's Club statement stressed that the company does not believe its in-store or online systems were breached.
"If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system," Mark Goodman, executive vice president for Sam's Club, said in a statement released on March 3.