Banks are continuing to deal with the fallout from last month’s massive Target stores data breach, as reports of sudden card cancellations popped up this week in the Mahoning Valley.
On Friday, Target announced that the scope of the security risk is even greater than the 40 million customers initially reported. An ongoing investigation revealed that as many as 70 million customers could have had their names, mailing addresses, phone numbers and email addresses stolen, the retailer said in a statement.
Home Savings and Loan Co. of Youngstown, responding to a “high volume of fraud” earlier this week, deactivated customer debit cards in an effort to stem illegal activity without first telling their customers, prompting confusion and frustration.
Affected customers on Tuesday and Wednesday did not know that their debit cards may have been compromised, and they did not know why the cards wouldn’t work.
The bank on Wednesday posted a notice to customers on the home page of its website saying that Home Savings deactivated compromised cards to “minimize the security risk to its customers.”
In a statement Friday, Home Savings said it canceled debit cards before customers were notified by mail because the bank had to act quickly to prevent more fraud.
Home Savings said the deactivated cards account for just 1 percent of its debit-card customers and that it deeply regrets the inconvenience. Customers will not be held responsible for any losses caused by the fraud, the bank said.
Huntington Bank said it had finished reissuing cards to customers who may have been impacted by the Target breach.
Huntington said it tried to contact customers before taking that action, and it did not cancel any debit cards while new ones were being sent to customers, “except in very limited instances of active fraud.”
“Active independently confirmed fraud may necessitate account action before customer contact is possible,” Huntington said in a statement.
Alicia Miller, a marketing manager at First Place Bank, said First Place avoided sudden card cancellations when dealing with the breach.
“That’s not how we handled the situation,” she said.
Instead, Miller said, First Place mailed letters during the week of Jan. 2 to customers who used their debit cards at Target stores during the breach, telling them that the bank was going to reissue cards.
“That doesn’t mean that there was fraud” on all of those accounts, but the notice went out to all “customers that used that card within that window,” Miller said.
Deactivation happened after those letters were received, she said.
PNC Bank in late December enacted a strategy of “proactive communication” that included emails, messages on its online update board, an active call center, and social media engagement, said Marcey Zwiebel, a PNC spokeswoman.
The bank dealt with customers on an individual basis and only deactivated cards that had seen suspicious activity, she said.
Each bank has its own mechanisms in place for monitoring and handling fraud, and there are no federal regulations yet in place that govern protocol for dealing with fraud, according to the Ohio Bankers League, a trade association that represents banks across the state.
But a good place to look for guidance is a 2005 interagency letter that established a response program for financial institutions to follow when dealing with instances of fraud.
In the letter, the Federal Financial Institutions Examination Council said banks should notify their customers as soon as possible when they confirm unauthorized access to sensitive information.
That notice should be made in a “clear and conspicuous manner” and delivered “in a manner designed to ensure that a customer can reasonably be expected to receive it,” which could include a telephone call, a letter or an email.
James Thurston, spokesman for the Ohio Bankers League, said that notification closely follows the primary responsibility on the part of banks, which is to secure any potentially compromised accounts.
“In some cases, that may happen before they send the notice out,” he said.
The broadened scope of Target’s data breach was not surprising, Thurston said, because investigations often turn up more damage than initially suspected, and he acknowledged that the fallout from the Target breach will be an ongoing issue.
“Unfortunately, that’s typically the way this works,” he said, adding that the news would not change the way banks approach the situation moving forward.
Banks are still telling customers to look for fraudulent activity by checking their accounts online, reviewing ATM statements and visiting their local branches.
Customers are reminded to never give out PIN numbers or other personal information over the phone because banks will never make that request on a call.