Protecting yourself

Bank of America gives me data breach deja vu

Jeremy Simon

For the second time this year, my credit card’s security has been compromised.

Back in January, I learned that my credit card was reported stolen by FIA Card Services (a Bank of America subsidiary) after I got an email notification from the AAA Texas credit monitoring service about a change to my credit report. At that time, when I called the bank, they confirmed that I was among a group of cardholders who had their information possibly exposed due to transactions at an unnamed merchant. They had decided to preemptively issue me a new card, which I later got in the mail.

And in a case of near deja vu, late last week, I received both another notification from AAA and a letter containing a new replacement card from FIA. So I decided to find out what merchant was the source of this latest breach.

When I logged into the CreditCheck Select website — which provides me with free credit monitoring as an AAA member — I saw that under the “potentially negative information” header on my report, that FIA card had been reported “lost/stolen” earlier in August. I then called CreditCheck Select’s customer service, who explained that, yes, my FIA card information had apparently been compromised. The customer service representative also said it was unusual for a card to be reissued twice in only seven months. She wondered out loud why my FIA account information had been compromised again, but added that it did seem the bank was working to keep me safe.

I then reached out to Bank of America, but wasn’t provided with any specifics. “Through our fraud monitoring and based on information we receive from the card associations, we will notify a customer and block and reissue their card if we believe their card information has been compromised at a third-party location. It sounds like that’s what happened in your case,” says BofA spokeswoman Betty Riess. She added that the breach would have occurred at a third party, not at Bank of America.

“Information we receive from the card associations does not include merchant name or location, and we wouldn’t have that information to share,” Riess says. According to a report on their website, (hat tip: American Banker) received a similar response from the bank last week when it asked about a breach that impacted some Bank of America debit card holders. (Although that same breach may have compromised my card data, I have a credit card, not a debit card.)

A call to FIA’s fraud services department, via the bank’s customer service line, wasn’t any more revealing. The FIA representative couldn’t provide the name of the merchant from whom my information may have been accessed by a fraudster, since he said Visa and the bank have agreed to keep that information confidential. The representative said that I was victimized in what appeared to be a “mass compromise” of card information, rather than an isolated incident at a local merchant.

So what if I wanted to stop doing business with a merchant that wasn’t adequately protecting my personal data? How would I find out about the source of such a breach? If it had been a problem with a local merchant or a repeat occurrence at the same business, the fraud services representative assured me, I would have been alerted to the merchant’s name. After all, FIA doesn’t want to lose my business, he explained.

Meanwhile, I ran the story of my compromised information — along with the reports of a wider compromise of BofA and Citi cardholders’ information — by two consumer advocacy groups.

Ed Mierzwinski, consumer program director for U.S. PIRG, a consumer watchdog group, says that while consumer advocates argue that we need tough data breach laws to help protect consumer information, banks and data collectors would prefer weaker laws.

“In our view, without the threat of public shaming, firms won’t do enough to prevent breaches in the first place,” Mierzwinski says.

Other advocates say FIA’s response was appropriate. “If this is indeed a merchant breach, then I would suspect that it involves much more than just cardholders at Citi and BofA/FIA. Perhaps Citi and BofA/FIA are being more proactive in reissuing cards than the other big issuers such as Chase and Cap One,” says Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse, in an email. He says it can be expensive for banks to issue new plastic. As a result, some “issuers may believe that the overall cost of absorbing losses for fraudulent transactions might be less than the cost of reissuing cards,” Stephens says.

“Overall, I’d say be happy that BofA/FIA is being aggressive in card reissuances to protect against fraud,” he says.

What’s your reaction? Were you also recently mailed a new Bank of America credit card? Do you think that cardholders have the right to know what merchant experienced this breach? Share your thoughts in the comments section below.

See related: AAA alerts me to stolen credit card, 10 ways to protect yourself from data breaches, States with laws requiring consumer notification of ID theft

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

  • Connie Prater

    I, too, got a new credit card from Bank of America last week. The letter said “some information from your Bank of America account may have been compromised at an undisclosed third-party location.”
    Hmmmm..It does make me wonder what happened.
    For cardholders like me, it meant I had to figure out which services or merchants I have used to make online purchases and go to their websites and change the credit card payment information to reflect the new account number and security code. There were two that I had: Groupon and Living Social. There could be more, but I don’t recall which cards are entered for the different online services that I use.
    It’s an inconvenience, but the flip side is an unauthorized purchase with the account.
    This kind of thing will continue to happen because the hackers always seem to be one step ahead of the security measures card companies have in place.

  • Matthew

    I also received a notification from Bank of America today. My account number was compromised. I believe the problem is more internally with Bank of America than an outside vendor. The account number was used at a Washington state winery.

  • freddy

    This happened to me several months ago. No notification until I got the alert from myfico about the change to my credit report– and then called B of A and was rudely told that my card was compromised. What bothers me is that the bank reports this to the bureaus as a “lost or stolen card”- implying that I, as a cardholder, was responsible for the loss. There should be a move to make “data breach” a designation instead. Meanwhile, my credit score took a 5 point loss as a result of this. There was a large B of A breach that was INTERNAL and was being investigated for over a year. A B of A employee had a theft ring going….

  • Thanks for the comments, Matthew and Freddy. Sorry to hear your accounts were also compromised.
    @Matthew – What makes you think the problem is an internal one at BofA? I’d be interested to hear more.
    @Freddy – That’s a good idea about a “data breach” designation on credit reports. Why did the data breach cause a drop in your credit score? Just want to clarify.

  • russell

    I have been a victim of card fraud twice and was beginning to feel helpless. I did not want to carry cash but my cards seemed to expose my accounts to unauthorized charges.
    I heard about this new card product called a Secure Identity Prepaid Card. It has a security feature that lets you turn your card on and off using your cell phone. You send a text message to activate it before you make a purchase. If your card is ever lost or stolen, the card could not be used. If someone tried to use the card, you would get a text alert telling you the details of where it was used but the charge would not go through. If you wanted to have the purchase go through, you could activate your card and have the merchant swipe it again.
    I can only spend what I load on it which I hope will help me better budget my money. I plan on using it instead of my bank debit card (and certainly not a credit card). You can fund the card by transferring money from your bank account by a bank transfer or from PayPal. I just enrolled for one and I am waiting to get it in the mail. I can’t wait to try it out.

  • Susan

    I’m almost certain that the breach occurred at B of A. I just read an older article in the Washington Post that stated: “Forensics investigators at Verizon Business, a firm hired by major companies to investigate breaches, responded to roughly 100 confirmed data breaches last year (2009) involving roughly 285 million consumer records. That staggering number — nearly one breached record for every American — exceeds the combined total breached from break-ins the company investigated from 2004 to 2007.
    In all, breaches at financial institutions were responsible for 93 percent of all such records compromised last year

  • @ Russell – Good luck! Let us know how that works out.
    @Susan – Thanks for the info. Why do you think that BofA is the source of this breach?

  • David

    I did NOT receive any notification from BofA. But this was not a good thing. It was a bad thing. My ATM card # had been compromised and it only came to my attention when I kept getting overdraft notices, and $35.00 charges for each, in the mail. I KNEW I wasn’t spending more than I had so I looked into the matter. It turns out that BofA had been processing ATM charges against my checking account for several months. Upon review, innocent-looking charges were on my statements, such as “e-Bill Pay $ 39.00” . As I paid credit cards and other bills through this account, and the amounts were relatively small, these transactions did not stand out. But the problem did not stop there. Because my business checking and savings accounts were LINKED (which is required for you to transfer funds from one to the other) BofA KEPT PAYING FROM MY SAVINGS ACCOUNT even when the bogus charges became more obvious. For example, on the same date, there were legitimate charges made by me at my usual, local gas station, there were charges for train tickets in Dublin, Ireland. Most of the bogus charges seemed to be place from the UK and included ITunes & other music store sites and for travel.
    Upon contacting BofA in a panic, the first thing they did was try to establish THE POINT OF FIRST ABUSE of this account. This is KEY. But rather than seeking the origins of the matter to protect me and help resolve the matter, BofA was only looking to establish the POINT OF FIRST abuse to get out of helping me. As it turns out, if I did not call any such abuse to their attention within 60 days, ALL SUBSEQUENT ABUSE IS NOT COVERED. Because the “e-bill” charges did not stand out as “abuse” and because by their own admission, BofA’s “fraud detection” dept. did not notice any unusual activity, BofA graciously REFUSED TO COVER THE BOGUS CHARGES. They indicated to me that this was my fault for not noticing the bogus charge sooner; that I could have authorized someone in Dublin, Ireland to use my card on that same day I was buying gas in my hometown. Basically, BofA made excuse after excuse why they were not obligated to pay. They shared no information with me about where the card was compromised and the more I complained up the ladder, the more distant they got. In the end, my business checking account was cleaned out, my meager savings account was cleaned out and BofA STILL wanted several hundred dollars in those pesky overdraft fees, saying “hey, business is business”.
    I closed out my relationship with BofA and cannot recommend them to anyone. Of course, I could have been more diligent in reviewing my statements, but they failed to review my account data even as I was watching TV commercials assuring me how safe I was using their cards.
    Here is what a victim would like to share with you;
    1) linking your accounts has a downside. Reconsider any linked accounts. Ask your bank about the negatives of linking, particularly in cases of fraud
    2) review your statements regularly and challenge any and all charges that you might not recognize. Even if you later find it was a recurring and otherwise innocent charge, your failure to spot the tricks of savvy criminals will be used against you.
    3) ask your bank about fraud protection. KNOW what the policies are and what they do, both proactively and upon incident, to protect you.
    4) As a matter of basic security, and even if you have to lie about it, for your own protection it’s a good idea to have your card reissued, with a new account number, periodically. It might be the best way to proactively protect yourself and to a large degree, you are the first line of defense against fraud, and sadly, maybe the ONLY line of defense. Changing the card number will do more to protect your account than any other single thing you can do.
    5) It was estimated by others and suspected by myself that my account information was compromised at a gas station. Despite the convenience, simply try to avoid using the card at all, and if you must, be aware that outside card readers are more easily hacked or covered over by fake readers that steal data. Avoid using the card at strange or unfamiliar merchants.
    6) Expect more of the same. Credit/ATM card databases are increasingly hacked, almost weekly now it seems. Don’t wonder IF it can happen to you because then, it’s too late when it does. Awareness that it’s likely only a matter of time until you or your bank experiences a data breach, will help put you in the proper mind-set to start watching out for yourself.
    7) Repeat; use the card less. Your bank will hate you for it but, the less you use it, the lower the odds of personal data loss. Use the card to get cash & pay with cash. You remember cash, right? That green stuff that keeps you anonymous? Use it whenever possible.
    I hope this helps someone. I lost over $3000.00 from my small business and i still have not recovered. But also, it crushed me to find BofA so non-responsive and brutal. Their FIRST move was to limit their liability, not to help me. Their LAST move was to tell me too bad, please pay those overdraft fees. I’m certain that large BofA customers get better treatment so if your rich or have a big company, maybe BofA will work better for you. But if your just an average person, like me, read the above suggestions again and take them seriously.
    Good luck and be suspicious.

  • Karen in Texas

    On 8/27, I was reviewing our checking account online & saw an unusual charge of almost $400. I called my husband at work & asked if he ordered something from that firm. Not only did he not (never even heard of the company), he received an automated call on his cell, claiming to be from Bank of America, advising him of possible fraudulent activity. When he called that 315 area code number back, the recorded message asked him to enter his social security number… Sure! Someone hacks your account & you’ll provide your social to heaven knows who on a recorder? NOT!
    Later we called BOA at the correct published number & they confirmed someone had tried to use our debit card number to charge payment to an automotive repair company in the UK! No idea how anyone caught this, but I’m sure glad!
    We immediately cancelled the card number & ordered new ones at our local branch the next business day. BOA confirmed it was NOT accidental use of our card number since the thief attempted it several times.
    So we were lucky! But were we really part of the group that BOA learned had been compromised in August & they just neglected to include us in their impacted customers? There is no excuse for allowing merchants with security breaches to hide their identities! If we knew, we would have taken a proactive stance, not reactive. We have the right to know who exposes us to fraud!

  • Brian

    @Karen: Yes, that is what BoA does! We received a call this weekend, also asking for the SSN. I was able to confirm through BoA that indeed it was them calling, and they do indeed ask you to identify yourself by giving your SSN. Which, you know, is EXACTLY what phishers and scam artists do. WTG BoA.

  • cifey

    I had my fiacard number stolen 3 times within a 2 month period. I have other cards that I used while waiting for this one and none have been compromized.
    I suspect 2 things:
    1. my local computer is compormised.(no malware found though)
    2. or FIA (BOA) is compromised
    3. or a merchant is compromised (at&t, amazon, gexa, geico)
    The illegal usages were in 3 separate remote locations so that rules out local fast food joints etc.
    I am canceled my fia account and am going to use a different card company now and see if the fraud stops.
    Also will scan all computers for malware and use a different ‘safe’ computer to enter the card#.
    Note that gexa charged $25 when an auto pay didn’t go through :(.

  • Sam Morris

    Today I received YET ANOTHER new credit card from Bank of America. This is in addition to one everyone here is discussing. It is the 5th number I have been issued by BoA based on “merchant security issues”. Of course, the merchant, which I could still be using, remains unnamed, and it is impossible to get that information from either BoA or Visa.
    I have other credit cards, but apparently it’s the merchants I use the BoA card with that are affected and I NEED TO KNOW WHO THEY ARE. BoA will lose my business after this last pain in the neck incident.

  • Sara

    I think it is something from the inside. I had this happen twice in the past 4 or so months and have had to go through all the hassle of changing my credit card number for all the automatic payments I set up. I hardly ever use this card at all for anything except for automatic payments of my phone bill which a few months ago changed from AT&T to T-mobile, so a 3rd party merchant seems far-fetched. I just cancelled my card. Chase Freedom is awesome.

  • Bev K

    Twice in one year our BOA credit card has been compromised !! I really feel that someone in the company is abusing the system !!!

  • Bill

    I work in a bank and deal with this. It is always a tough decision to replace a card. The customer is never happy, or it seems. I am not a fan of the mega banks, but can verify that merchants are being compromised. We may see it when charges that could not possibly happen at the same time do or a customer brings it to our attention.
    Often, I have no doubt, the merchants that are compromised don’t know. in the last few months, I have seen major companies compromised, single locations, and franchises. 3 different companies in the last 2 weeks have impacted cards we have issued.
    I am generally of the opinion, get our customer a new card. I wouldn’t want my purchase denied be cause someone decided to by a bunch of stuff a few states away.
    I’d be interested in what a customer really thinks on having a card replaced.
    As at as not knowing where the fraud happened, there is likely an investigation in place with authorities.

  • morgan

    I have two cards with FIA/BofA as the provider. Both have shown fraudulent charges in the last month. I think BofA has a serious security failure.

  • Sarah Ogbemudia

    Two weeks ago my bank of america debit card that I have had since 2010 was used by Fraudsters to purchase games online. Within a week of receiving a new debit card from BOA, it was used again by fraudsters to purchase even more games online. I am so confused becasue I do not kwow how this has happened and BOA are not very helpful as well. I have lost faith in BOA security on their cards. I wonder what percentage of their customers have experienced this abuse of their debit and credit cards.

  • Ken Powell

    I recently am going through this with Chase bank. Not one purchase was made with my card. I am being told that a breach of my information was made and the account needs to be closed. A breach? not one fraudulent charge yet I have to deal with all of this and can’t get the information on who let my credit information slip? This is ridiculous, I would like to stop doing business with a company that doesn’t protect my information.

  • Nathan

    I received a notice from both Bank of America and my local credit union (BofA is a credit card and the CU is a visa check card). Both cards are stored with 3 different online merchants: Amazon, Western Union, and Google Wallet. I’m assuming it’s one of these and not BofA since I have 2 different credit cards with them and only 1 was flagged.
    Thanks for the post. This is the only place I found any information about it.

  • Polly

    I have both a business and a personal credit card account at BOA. I have lost track of the number of times my card has been reissued due to compromised information or suspected fraud. Now it seems to happen every 6 months or so! I too think the problem originates with BOA and am now looking at other card companies. I’m just fed up!

  • philip

    My credit card was also compromised. BofA sent me a new card. They will not give me any information about the breach but they did give me a direct number to Visa for the name of the vendor who allowed my credit card number to be compromised.
    I specifically searched for information about this online and found this blog and a number of similar cases. Bank of America is in the habit of masking fraud against your account as a new eBill, hoping you won’t see it for 60 days, because then it legally becomes YOUR DEBT. I suspected this might be an upcoming problem when I all-of-a-sudden received a letter from Bank of America stating specifically that any fraud older than 60 days, THEY ARE NOT RESPONSIBLE FOR, AND THE DEBT WOULD LEGALLY BE MINE. This was the entire purpose of this letter. What it did was to remove them from any responsibility for allowing my accounts to be hacked.
    This is the second time in 8 months my card has had to be reissued. The first time was when my former employer (the BUSINESS OWNER!) from Warren, Michigan answered the office phone when the bank called my work number. He pretended to be me, gave my social security number and my date of birth WHICH HE HAD ON FILE, and discussed my account with them. I had already left the company and was not even in the United States at the time.
    This same employer also practiced my signature. I snapped a photo of his attempts to perfect my signature at that time.
    I also reported him to the FTC after I found out about the January 8th, 2013 breach at his office when Bank of America called him and he pretended to be me. But, I did not file charges against him at his local police station and the FBI.
    Bank of America’s response was to simply reissue me a new card. that’s it. That’s all they did. Then they said they would block the former employer’s phone number from being called or from being able to call in. But they didn’t. The phone number for my former employer was still listed on the site profile as my work number as recently as a week ago when I noticed the eBill charge for $150 and began inquiring where the charge came from, and began getting the run-around, non-answers and hang-ups on the call and the two chat sessions.
    Because I noticed this eBill for $150.00, ( I noticed it a week ago, and have had two chats and one phone call with BofA about it… The phone call and both chats ended abruptly as I began to ask questions about the $150 charge) then today will I sit with my banker and discuss it with him, reporting here what happened in the meeting.

  • Marfa

    My reaction is that it sucks not be told which merchant compromised our cc information. It just happened to my mother. She talked to Bank of America and got the same unacceptable response. With all the cc fraud and id theft going on, there should be a law forcing cc providers to tell people which merchant or merchants compromised their cc information.

  • Kyle Gray

    I have two credit cards at BoA. Last month one of them was re-issued with a new number for the fourth time in 3 years, and this week the second one was re-issued with a new number for the fourth time in 3 years.
    At this point I am beginning to think the security breach is on BoA’s end. Why?
    Well, I’ll admit it, when I was younger I was terrible with credit cards. I got my first card at 18, and just kept getting them. I have tons of them.
    The thing is…. the BoA card is the ONLY one that’s ever been re-issued. EVER. My other cards are almost 20 years old and still have their original numbers. And I’ve never had a problem with unknown charges showing up on them. And I’ve used each of them as often as my BoA cards and at the same locations.
    So yeah, at this point it’s gotta be BoA. And it really sucks to have to regularly reregister at sites that I have recurring payments set up for (Netflex, phone, etc)… I guess I’m finally learning my lesson and won’t be putting them on my BoA card anymore.

  • Dash Riprock

    Once in awhile I send my kids money through Western Union and 3 times this year alone Bank of America has stopped my bank card and re-issued a new one, I’ve asked repeatedly if it was the Western Unions [none over $50.00] that was triggering the “unusual activity” alert and they refuse to tell me. So you might want to remember that if you have to send money to someone.

  • Kj-Colorado

    I too am getting mutiple re-issuances of cards from BoA indicating a “compromise” has been made. Why do we not have rights that inform us of what merchant compromises our data? Is it because the merchants may stop reporting it if thier establishment is identified? Seems liek we should be given the information.

  • PN

    They won’t tell you which merchant because most likely it was an internal BofA breach and they don’t want word to get out.

  • AlexanderLexham

    Thank you for this very informative and reliable post. Bank of America has released a new type of rewards card. Rather than rewarding consumers for spending — which only boosts the amount of their debt — it pays them when they pay their bill once it is due and they will pay just a little more than their minimum monthly requirement when doing this. In that way, it is incentivizing individuals to handle their loan debts more sensibly.

  • Ron Davidson

    This has been a frustrating issue for me in that, over the years I have gotten the business of “information may have been compromised”. Fighting with these people trying to find out where the breach occurred seems pointless. How are there not laws protecting consumers that make such information available to us? If a breach occurs I feel like since it’s directly connected to me I should have the right to know where and how it happened, so that I may take further steps to protect myself or see that the merchant or agency be held to a higher standard.

  • Chuck

    Between Capital One, BoA, and Citi, my wife and I have received probably 6 new cards in the last 4 years. In fact, BoA just left a voice mail saying that my wife is getting a new card and account. The irony is that she just activated the new card on the old account this month.

    But, as others complain, we never know which merchant is the cause of the problem. The voice mail said that a merchant’s system was compromised.

    We know that there have been some major hacks over the years, such as Michael’s and Target. But, it’s quite possible that a large merchant could have a problem with just one store, such as a clerk who looks at cards and memorizes information or people who have put a skimming device on a card reader.

    Regardless, if I know which merchant has issues, I can either avoid that merchant or simply pay with cash (or a check for larger purchases).

    I used to be able to rattle off my credit card accounts, when making a purchase over the phone or on the web, without having to pull a card out of my wallet. But, with frequent changes in account numbers, I’m always pulling a card out. It’s annoying.

  • Concerned

    My entire family has started receiving random cards in the mail from WellsFargo – being told there was a report of Fraud against the card so they stopped it. No one in my family has reported any such fraud. The company refused to provide the name or details of the supposed fraud and refused to allow my family members to continue to use their cards which were good up to 2018.

    A family member of mine got all the way up to a Senior Manager whom stated there was nothing he could do about it as this was something that was going on to “protect the people” affected by some mysterious fraud case and that everyone was now being issued a card with a ‘chip’ inside of it. You were NOT allowed to keep your card without the chip.

    Something MUCH larger is going on here people… How many of you went from having no chipped cards to suddenly having a mysterious fraud charge and a new card with a chip in it?