For the second time this year, my credit card’s security has been compromised.
Back in January, I learned that my credit card was reported stolen by FIA Card Services (a Bank of America subsidiary) after I got an email notification from the AAA Texas credit monitoring service about a change to my credit report. At that time, when I called the bank, they confirmed that I was among a group of cardholders who had their information possibly exposed due to transactions at an unnamed merchant. They had decided to preemptively issue me a new card, which I later got in the mail.
And in a case of near deja vu, late last week, I received both another notification from AAA and a letter containing a new replacement card from FIA. So I decided to find out what merchant was the source of this latest breach.
When I logged into the CreditCheck Select website — which provides me with free credit monitoring as an AAA member — I saw that under the “potentially negative information” header on my report, that FIA card had been reported “lost/stolen” earlier in August. I then called CreditCheck Select’s customer service, who explained that, yes, my FIA card information had apparently been compromised. The customer service representative also said it was unusual for a card to be reissued twice in only seven months. She wondered out loud why my FIA account information had been compromised again, but added that it did seem the bank was working to keep me safe.
I then reached out to Bank of America, but wasn’t provided with any specifics. “Through our fraud monitoring and based on information we receive from the card associations, we will notify a customer and block and reissue their card if we believe their card information has been compromised at a third-party location. It sounds like that’s what happened in your case,” says BofA spokeswoman Betty Riess. She added that the breach would have occurred at a third party, not at Bank of America.
“Information we receive from the card associations does not include merchant name or location, and we wouldn’t have that information to share,” Riess says. According to a report on their website, Bloomberg.com (hat tip: American Banker) received a similar response from the bank last week when it asked about a breach that impacted some Bank of America debit card holders. (Although that same breach may have compromised my card data, I have a credit card, not a debit card.)
A call to FIA’s fraud services department, via the bank’s customer service line, wasn’t any more revealing. The FIA representative couldn’t provide the name of the merchant from whom my information may have been accessed by a fraudster, since he said Visa and the bank have agreed to keep that information confidential. The representative said that I was victimized in what appeared to be a “mass compromise” of card information, rather than an isolated incident at a local merchant.
So what if I wanted to stop doing business with a merchant that wasn’t adequately protecting my personal data? How would I find out about the source of such a breach? If it had been a problem with a local merchant or a repeat occurrence at the same business, the fraud services representative assured me, I would have been alerted to the merchant’s name. After all, FIA doesn’t want to lose my business, he explained.
Meanwhile, I ran the story of my compromised information — along with the reports of a wider compromise of BofA and Citi cardholders’ information — by two consumer advocacy groups.
Ed Mierzwinski, consumer program director for U.S. PIRG, a consumer watchdog group, says that while consumer advocates argue that we need tough data breach laws to help protect consumer information, banks and data collectors would prefer weaker laws.
“In our view, without the threat of public shaming, firms won’t do enough to prevent breaches in the first place,” Mierzwinski says.
Other advocates say FIA’s response was appropriate. “If this is indeed a merchant breach, then I would suspect that it involves much more than just cardholders at Citi and BofA/FIA. Perhaps Citi and BofA/FIA are being more proactive in reissuing cards than the other big issuers such as Chase and Cap One,” says Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse, in an email. He says it can be expensive for banks to issue new plastic. As a result, some “issuers may believe that the overall cost of absorbing losses for fraudulent transactions might be less than the cost of reissuing cards,” Stephens says.
“Overall, I’d say be happy that BofA/FIA is being aggressive in card reissuances to protect against fraud,” he says.
What’s your reaction? Were you also recently mailed a new Bank of America credit card? Do you think that cardholders have the right to know what merchant experienced this breach? Share your thoughts in the comments section below.
See related: AAA alerts me to stolen credit card, 10 ways to protect yourself from data breaches, States with laws requiring consumer notification of ID theft