The affected banks have since told reporters that the problems were related to fraudulent transactions that had been traced to data breaches at unspecified retailers. Recent reports have named OfficeMax and Sam’s Club stores as likely sources for the breach, although OfficeMax continues to deny that it knew of any security mishaps.

Thieves have apparently been able to collect not only the data contained within the magnetic strips on victims’ ATM cards, but also the PIN codes that allow access to their accounts. Fraudulent withdrawals in Canada, the United Kingdom, and Russia apparently triggered the blocks in those countries, and have led to the arrests of 14 people in New Jersey.

When consumers purchase goods with an ATM card, the PIN entered into the register is supposed to be encrypted when it is sent out for verification, and deleted after the transaction is complete. For the breaches to have occurred, the information must have been improperly retained on a computer and the thieves must have been able to decrypt the coded PINs, either because the encryption key was carelessly stored on the same server, or through hacking by an insider.

The scope of the breach underscores the need for laws that will protect consumers from such crimes, by notifying them when breaches occur and allowing them to freeze accounts if they suspect fraud. Many bills currently before Congress provide loopholes that would allow breaches like this one to go unreported, and would not allow victims to place security freezes on their accounts unless they first filed a police report. Some of the proposed laws would also eliminate state stronger state consumer protections.

(Editor’s Note: This article is courtesy of the Electronic Privacy Information Center. (EPIC). EPIC’s identity theft page can be found at www.epic.org/privacy/idtheft/)