Dollar Bank issuing new debit cards in the wake of Chipotle data breach
Dollar Bank will send new debit cards on Friday to about 5,000 customers in Western Pennsylvania, following a data breach at the popular food chain Chipotle.
Chipotle, which has about a dozen locations in the region, detected unauthorized activity on the network it used for processing payments during the last week of March and first half of April, according to a statement issued by the company.
The company said the breach has been fixed but recent customers should watch their bank accounts for suspicious activity.
“Our investigation is focused on card transactions in our restaurants that occurred from March 24, 2017, through April 18, 2017,” the statement reads, without specifying which restaurants were involved or for how long.
“We are working with investigators to complete the investigation. When there is more information available, we will share that accordingly,” Chipotle Communications Director Chris Arnold said when asked for more specific information.
Joseph Smith, senior vice president of marketing for Dollar Bank, said his company has tried to notify all of its affected customers. The bank’s policy is to issue new cards when a data breach becomes apparent, he said.
“This is now becoming so standard for the industry; there are so many breaches,” he said. “What is unusual in this case is that it was an extended period of time and involved a large number of cards.”
Smith said old cards will remain functional until new cards are activated or until May 16, whichever comes first.
Customer access PINs will not be changed, but new cards will come with different numbers, which could affect card users with automatic payments scheduled to use their old cards.
So far, no customers have reported unauthorized activity on their accounts stemming from the data breach, Smith said.
Marcey Zwiebel, a spokeswoman for PNC bank, said PNC will not issue new cards, but encouraged customers to monitor bank accounts for fraudulent activity.
“We’re still evaluating the full impact of this situation on our customers. At this time, based on our evaluation of the impact, we are not issuing new cards,” she said.
Inga Goddijn, executive vice president of Risk Based Security, a Virginia-based company that tracks data breaches and provides cybersecurity services, said Chipotle’s breach was similar to others that happen with an unfortunate regularity.
Goddijn said the hackers behind data breaches such as Chipotle’s often take their time infiltrating a system and, once they are in, slowly move around the system to see what sort of data they can access and how they can extricate it.
Credit card data often is sold on the black market to people who make fake credit cards with the numbers. Those people then go to retailers such as Target and buy gift cards, Goddijn said. Tracking down the hackers and fraudsters is difficult and often impossible.
Goddijn said that identifying a security breach within a month isn’t that bad compared with other breaches.
“Oftentimes, with breaches like this, the intrusion isn’t necessarily detected until fraudulent activity is noticed,” Goddijn said.
Credit card numbers were accessed in about 20 percent of the more than 4,000 security breaches in 2016, a report from Risk Based Security found.
Lorrie Cranor, co-director of CMU’s Privacy Engineering Master’s Program, said banks typically issue new cards after accounts are compromised in a breach.
“The threshold of when they are going to send you a new card has lowered,” said Cranor, who is also a faculty member at CyLab, a cybersecurity research and education institute at CMU, and a professor in the departments of Engineering and Public Policy and the Institute for Software Research.
“Changing a customer’s account number is a relatively easy and inexpensive thing to do and can save problems later.”
Cranor said chances are good that, no matter what, victims of credit card fraud won’t be on the hook for fraudulent purchases. Catching fraud early, however, will make it easier to sort out.
Both Cranor and Goddijn said the best way to stay safe is to carefully monitor credit and debit card statements. Cranor recommends looking at statements every month.
“Really get into the habit of doing that,” Cranor said. “That will allow you to detect a problem within a few weeks.”
Goddijn advises studying every transaction, even small ones. Transactions of a few dollars or less can be a red flag.
“Oftentimes, those small charges are used to test whether the card or the information is still good,” Goddijn said.
Goddijn added that people should contact their banks right away if they suspect fraud and that credit cards typically offer a little better consumer protection than debit cards.
Cranor suggested people check out www.identitytheft.gov for more resources.
Matthew Medsger is a Tribune-Review staff writer. Reach him at 724-226-4675, email@example.com, or on Twitter @matthew_medsger. Aaron Aupperlee is a Tribune-Review staff writer. Reach him at firstname.lastname@example.org, 412-336-8448 or via Twitter @tinynotebook.