When Sean Callahan of St. John’s was told Friday by a CIBC representative his CIBC Mastercard was used in Saint-Laurent, Que., he was surprised. He has never been there.
He was further surprised to discover more than $5,000 in fraudulent charges to his credit card account — nine separate charges at a single Target store in one day.
He had contacted the credit company and bank a day earlier, after his card was unexpectedly declined in western Newfoundland during a mini-vacation with family — at a golf course and a gas station. He had not had his card declined before.
“(Friday) morning they called me back to say the reason for the call was there had been a ‘security breach.’ Those were her two words,” he told The Telegram. “They’re admitting to a security breach where the card was used (Thursday) at Target.”
The name of the retailer and the words “security breach” set off alarm bells with Callahan, who recalled the massive theft of Target customer data in late 2013, involving credit- and debit-card information.
His card was used by a family member at a Target store in St. John’s Monday, July 7, just three days before the fraudulent charges in Quebec. He is afraid it was not a coincidence and wants to make other consumers aware of his case. “Obviously this thing hasn’t been fixed or there’s a whole new security breach,” he said.
The information theft that occurred in the U.S. in 2013 did not involve Target stores in Canada.
The breach involved data from customers of U.S. Target, between Nov. 27 and Dec. 15, 2013. About 40 million credit and debit card accounts were involved. In addition, personal information — names, emails, phone numbers — for 70 million customers was stolen. Some of the personal information was for the same customers who had lost account data.
Some Canadians were notified in January, through an email from Target, that their personal information was potentially stolen in the data theft. Canadians are estimated to account for less than one per cent of victims in that case, The Canadian Press has reported.
“The breach only impacted payment cards that were used in our U.S. stores. There continues to be no impact to any Canadian Target stores,” reiterated Molly Snyder, a public relations manager for Target based in Minneapolis, Minn., who responded Monday to questions via email.
Target has offered free credit monitoring and identity theft protection to individuals who shopped in the company’s U.S. stores at the time of the 2013 data breach. An enrolment period for that program ended April 30.
The company continues to see low levels of fraud, Snyder said.
“We encourage our guests to monitor their accounts and promptly report any suspicious activity to their issuing bank.”
In Callahan’s case, CIBC and not Mastercard was the issuer of the credit card. And Lauren Mostowyk, a spokeswoman for Mastercard, responded almost immediately to a message inquiring about the fraud case.
“We can’t comment on individual investigations, and at this point this is an individual investigation,” she said, but she added Mastercard does alert card issuers in a case of a suspected data breach or fraud.
When a credit card purchase is made at a store, she explained, the purchase information is sent through an acquirer (the terminal) to the card issuer, the card issuer approves or declines the transaction and the information is sent back to the starting point. The network is Mastercard’s, which is responsible for the financial transaction, she said.
Many frauds occur using information obtained before a credit-card transaction is started (say, by conning the card holder) or using information-capturing devices at the terminal, before information hits the network and is moved between the terminal and the credit card issuer. It is why credit companies are encouraging use of chip and personal identification number (PIN) cards, as opposed to cards swiped at a terminal machine.
“That comes with an entirely new set of security benefits,” Mostowyk said.
She said a wider use of chip and PIN cards in Canada has been a protection for consumers here over those in the U.S.
But Callahan’s account was compromised, however it was done, and his reaction reflects the effect of a large data breach on customer confidence and consumer trust in a retailer.
He said he did not report his case directly to the police, as CIBC told him it is being investigated.
While dealing with the headache of being unable to use his credit card, he was able to arrange for a new card to be sent to him. But he recommends people within the province be aware of the potential for their own accounts to fall to a fraud.
“My experience is very real,” he said.