Standing next to the ATM on Tuesday, I stared at the receipt in my hand and tried to make the numbers add up. My wife and I had both been paid only a few days before, but our bank account now had less than $200 in it. Since we share our expenses, we each sometimes discover little surprises when she pays for a car repair or I cover a veterinary bill, but this was a big surprise -- and not a pleasant one.
When I got to the office, I looked up my account and quickly discovered the culprit: three charges totaling more than $1,800. I called my wife to make sure that she hadn't recently decided to buy a new Bose stereo system or made several hundred dollars in pharmacy purchases. A few minutes later, she was walking into the office of our local Chase Bank (JPM) to talk to a human being about our almost-empty account. She had barely explained our situation before he burst out "Wow, I've had, like six people in this morning with the same problem!"
An Office Full of Victims
Six people in a single morning seemed a bit high for one teller, but when I started talking to my coworkers, I discovered that I wasn't even the only one in my office who had recently had his account hacked. My coworkers Ken and Ryan had both recently found a bunch of confusing charges on their Chase accounts, and 10 other office mates whom I didn't know had had their accounts breached within the last few months. As I widened my search, I found dozens of people who'd recently had their information compromised. An alarming number were Chase customers.
Was this a crime wave? The Chase representative I talked to refused to comment on whether or not the company was experiencing an uptick in breaches, but John Zurawski, a vice president at an online security firm Authentify, was able to give me a clearer picture. This isn't an especially active time for hackers, he said. "The attacks on online financial accounts are continuous," Zurawski explained. "The level of activity is routinely high because the likelihood of being caught is extremely low."
I was already feeling a bit edgy, but Zurawski quickly amped up my paranoia by pointing out the number of ways that my account might have been breached. According to him, my information could have been "skimmed" at an ATM, collected at a parking garage, swiped by a disgruntled employee, or compromised in dozens of other, diabolically creative ways.
My Favorite Company That I Don't Even Know
In all likelihood, though, my information was breached because of a company I had never heard of, much less willingly used. Zurawski reminded me of the Global Payments breach, a news story that broke in early April, after the electronic transaction processing company discovered its system had been hacked earlier in the year, compromising up to 1.5 million bank accounts.
Although I had never directly dealt with Global Payments (GPN), Zurawski said that I've probably used its services dozens of times. One of the largest online payment processors, the company handles online transactions for thousands of merchants around the globe. When you pay for something on the Internet, your bank probably doesn't deal directly with the company that you're buying from. Rather, your information gets passed on to Global, which passes it on to a bank, which completes the transaction.
In other words, a company I've never heard of, have never directly dealt with, and know nothing about may hold the keys to my bank account -- and, in this case, may have misplaced them.
This was disturbing, but it still didn't explain how the Global breach, which was discovered almost a month ago, could be responsible for last week's charges on my account. Zurawski pointed out, however, that this recent rash of bank hackings might fit a trend.
"Usually, when an account is hacked, the mischief makers like to hold off on using the information, in order to cover their tracks," he noted. "But when a breach is discovered, they may feel compelled to use the information sooner, rather than later." So my account -- as well as Ken's, Ryan's, and those of several other coworkers -- may all have been breached by the same criminal organization, which spaced out its use of the information.
Joining the Hacked Club
I was surprised to discover how many of my friends and coworkers had had their accounts compromised, but I soon realized that we were only the tip of the iceberg. According to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, 3,044 data breaches have been made public since 2005, affecting 546,357,063 compromised records -- more than one for every person in the country. Most of these aren't bank accounts, but it seems likely that records involving almost every aspect of our lives have been breached at some point.
Paul Stephens, director of policy and advocacy at PRC, agreed that my account might have been compromised in the Global Payments breach. According to him, it "heavily impacted people in the New York City area." But I will probably never find out for sure: Global Payments has not released any information about which accounts were affected or which companies were involved. "It's the typical stonewalling that we get when these types of breaches occur," Stephens explained.
My wife and I are fairly careful about our bank security: We regularly check our account for unexplained charges, shred our mail, and are careful about which ATMs we use. However, Stevens pointed out a major chink in our armor: A few years ago, we started making most purchases with our debit cards.
"You shouldn't use your debit card to buy things," he told me. "They don't have the same legal protections as credit cards." Under the law, he noted, banks have 45 days to investigate compromised accounts. If they have not concluded their investigation within two weeks, they must reimburse the customer, but are legally able to take the money back if they later find that they have been cheated. "If you're using a debit card, you could end up in a situation without funds," he warned.
On the bright side, Chase seems to handle these problems quickly. Every person we talked to commented on their fast, efficient service, noting how quickly their funds were restored. In our case, the money was back in our account within a day.
Still, Stephens has a point. Within a day, yet another mystery charge was on our account, this one from a company based in Great Britain. Here we go again ...
Bruce Watson is a senior features writer for DailyFinance. You can reach him by e-mail at firstname.lastname@example.org, or follow him on Twitter at@bruce1971.
Get info on stocks mentioned in this article: