One Wells Fargo customer named Ken Rutsky was nice enough to relate his experiences on the record. Ken, who's the executive VP of worldwide marketing for security software maker (don't you love the irony?) Workshare Inc. told me he'd arrived in London on March 5 and was unable to get money out of an ATM using his Wells Fargo debit card. "I tried and saw the message on the ATM, 'this transaction can not be completed. Contact your Financial Institution,'" Rutsky wrote me in an E-mail message.
"I had zero £'s but $100 in my wallet, so I begged three cabbies to take $$s at 2:1 exchange rate, and found one," Rutsky wrote. "In the cab I was told by 1-800-TO-WELLS customer service that I was over limit, which I knew I was not. After getting to my hotel I went to the ATM across the street. Same message. I called customer support again, and was told the account should work, my limit was raised, try another ATM. I walked about 1 mile to two other ATMs, same thing. I gave up for the day."
The rest of Rutsky's tale unfolded as you might expect: more calls to customer support, confusion over the cause of the problem, escalation to a supervisor, very little resolved.
But he's not alone. In a February 28 Seattle Times Web site posting, Seattle's Frank Conlon described a similar scenario. "I arrived [in] London last Friday afternoon and discovered that my Wells Fargo ATM card would not work in any bank machine. It was not a technical fault--Wells Fargo had put a hold on any ATM transaction in the entire U.K. I learned this after many pounds worth of phone calls first to my local branch in Seattle and then to Wells Fargo headquarters."
Conlon also notes that when he asked why he hadn't been previously informed of this problem, the bank said it didn't want to "compromise our investigation." He was finally able to get some cash by writing a check at American Express after showing them his AMEX card. "How a major bank like Wells Fargo could pull a stunt like this without notifying its customers is beyond belief," he wrote.
How did this happen? Citigroup, Citibank's parent company, has been very cagey about what happened on its end, using vague language in its official announcement describing how the bank and its customers were the "victims of a third-party business' information breach" that the bank detected in February after seeing "several hundred fraudulent cash withdrawals in three countries." Citigroup also stated that it's "in the process" of contacting affected customers individually and issuing new cards.
Even though Citigroup has known about this problem for weeks, the company doesn't feel it's in a position to provide much more information. This has led to much speculation over the cause and scope of its latest data security problem. Gartner VP and Research Director Avivah Litan told me Thursday that her research indicates a "huge hack" was perpetrated against a company that stores information about Citigroup clients. It's unclear whether this company is a retailer or some sort of service provider. Either way, the attackers got their hands not only on Citibank customers' encrypted PINs, but on the master key used to decrypt this information, Litan told me.
"It is the first time there's been such a massive PIN debit fraud," Litan said. "It shouldn't be written off as just another breach." The fact that she even used the words "just another breach" tells you just how bad things have gotten.
There's another tricky aspect to the theft of encrypted data: Banks in some states aren't necessarily obligated to inform their customers of this theft because since the data is encrypted, technically there isn't a "reasonable risk" that the theft could lead to an invasion of one's privacy. Of course, in reality that goes out the window if the encryption key is also stolen.
More than 20 states have laws regarding data breach victim notification, and federal legislation is pending. California's Information Practices Act, for example, requires any company that conducts business in the state to disclose any breach in the security of the data of any resident of California whose unencrypted personal information has been compromised and acquired.
Although Citigroup counts itself as one of the "victims" in this crime, this is a very liberal interpretation of the word. The people who couldn't get their own money out of their bank accounts are the real victims, and Citigroup is guilty of not protecting them from being victimized by this scam. Citigroup may not have been responsible for storing the PINs and encryption keys that were stolen, but certainly a company that large and influential has the power to demand that retailers not store Citigroup customer PINs at all. Citigroup and other banks should also be asking retailers, service providers, and other companies they do business with how their customers' data is being protected. This would include ensuring that encryption is done properly. Surely Citigroup's IT executives are smart enough to know that the master encryption key must be closely guarded and kept away from the encrypted data.
When your bank's name is on the debit card, you can't go pointing the finger at someone else.