Debit Card Fraud Tied to OfficeMax Breach

Fraud affecting Massachusetts credit union customers may involve stolen PIN information from OfficeMax transactions, sources say.

Debit card fraud that has affected customers at a number of credit unions in central Massachusetts is linked to transactions at office supply retailer OfficeMax, according to investigators.

Dozens of credit union members in the towns of Leominster and Fitchburg, Mass., have been defrauded of more than $45,000 in the last few weeks by criminals in the United States and abroad, according to law enforcement officials in those towns.

The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said.

/zimages/2/28571.gifClick here to read about "spear phishing" attacks target credit union executives.

In Leominster, police know of about 40 victims of incidents at a number of credit unions in the area, dating back to Feb. 28, said Detective Scott Wolfeasazder of the Leominster Police Department.

New victims are turning up every day, he said. "Just today I found out that City Employees Federal Credit Union had seven accounts accessed, with funds withdrawn from five of them," he said, adding that Leominster Credit Union has had to close 500 debit accounts because of the fraud.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Most of the withdrawals are small, up to $500, and many were conducted in Barcelona, Spain, though ATMs in the United States and Canada have also been used. In total, the damages are upwards of $30,000, he said.

All the victims the police have reached at this point shopped at OfficeMax and used a Visa debit card, Wolfeasazder said. "Thats the common denominator on this end," he said.

In neighboring Fitchburg, police know of dozens of residents who have had debit cards used fraudulently, with totals of around $17,000 in damages, said Sgt. Glen Fossa of the Fitchburg Police Department.

The transactions date back to mid-February and were linked to ATMs in Illinois, Turkey, Great Britain and Switzerland, he said.

The random nature of the fraud and its geographic distribution indicate that the stolen information is being fenced on the Internet, investigators say.

Next Page: What information was stolen and how?