The Secret Service is investigating a rash of credit card fraud cases reported by customers of more than a dozen banks and credit unions in the Northwest.
The number of people affected has not been determined, said Kevin Miller, the agent in charge of the Secret Service’s office in Spokane.
Spokane grocery wholesaler URM Stores Inc. has launched a forensic review of its systems in the wake of worrisome inquiries by banks and credit unions that it may be connected to the source of a security breach.
Miller’s office has received reports from area and regional banks and credit unions for the past three weeks.
“For the Spokane region, it’s a substantial fraud incident,” Miller said. He called it the largest outbreak of credit card fraud he’s seen in nine years in Spokane.
The reports of misused cards range from purchases of items in Saudi Arabia to multiple purchases of gift cards in grocery stores in the Midwest and California, credit unions said.
No one has yet identified where a breach may have occurred that exposed credit card numbers, Miller said.
While no individual business or bank has reported a loss of credit card information, some area officials said they’ve seen a number of “common points of purchase” connected to the fraud spree.
Those common points are individual stores where a customer has used a credit or debit card that was later involved in a fraud. When two or more compromised cards show they’ve been used at the same local store, investigators start asking if the transaction system for that store is involved in the breach.
So far, many of the common point identifications are grocery stores affiliated with URM.
URM operates both a wholesale grocery distribution service to area grocery stores, and a computer network that delivers purchase data at those stores to a global card transaction company, First Data.
On Monday, URM chief executive Ray Sprinkle posted an online statement online in response to inquiries from banks and credit unions about a possible breach.
Sprinkle said URM is working with a forensic team to find where any local data break-in may have occurred.
“At this time we cannot confirm any unauthorized disclosures. Out of an abundance of caution, in the absence of conclusive evidence that any card numbers have been compromised, we are informing you of our investigation,” the statement said.
Sprinkle also said URM does not store the transaction data that ends up being processed by First Data. The role URM plays is as a “real-time pathway” for that transaction information to First Data’s main servers.
The frequency of unauthorized card transactions varies with different banks and credit unions, and includes both credit and debit cards.
About 15 cardholders at Spokane Media Federal Credit Union have reported illegal purchases in the past few weeks, CEO Debie Keesee said. That is more instances of fraud than she normally sees in a year, Keesee said.
She and other banking or credit union officials say the next step, once a breach source is found, is to learn how many credit cards need to be replaced. That number is based on determining when cardholders used their cards at merchants or stores whose data was potentially grabbed by cyberthieves.
That information will come from the credit card companies, such as Visa and MasterCard, who will gather the key numbers from the company that finally identifies itself as the source of the breach.
Keesee estimates about 180 of her member cards will need to be replaced, at the cost of $20 or so per card.
The cardholders are generally reimbursed for the amounts charged against them.
Mark Smith, CEO of Sears Spokane Employees Federal Credit Union, in north Spokane, said he’s convinced the outbreak is limited to the Pacific Northwest. He’s talked to credit union officials elsewhere not reporting a rise in fraud reports.
He’s talked to nearly a dozen credit unions in the Northwest that have reported similar jumps in card fraud, he added.
Sears Credit Union has 300 members with credit cards, and so far 20 have reported illegal charges against their cards.
The purchases are both for higher-ticket items, often purchased online and outside the United States, and for smaller purchases at a store inside the country, Smith said.
Many purchases involve a physical card that someone has produced with the original numbers and name of the cardholder.
Because of the time it takes to produce counterfeit cards, Smith surmised that the first breach and collection of numbers may go back several months.
“We’ve even seen some (fraudulent) purchases at a McDonald’s, in fairly small amounts,” he said.