Citizens Bank Replaces Scam Victims' Cards

Mar. 1--Citizens Bank has issued new bank account numbers to customers affected by the recent data-security breach at the Stop & Shop supermarket in Coventry, a bank official said.

The bank is one of three financial institutions whose customers were affected when thieves installed data "skimmers" at the store on Tiogue Avenue. In all, the thieves stole $115,000 from 1,100 accounts, using information stolen from the Coventry store. Citizens' customers lost about $100,000, Coventry Credit Union customers lost $10,000 and Centerville Credit Union customers lost $5,000.

The action comes as law-enforcement officers continue their investigation into how four California men used a rigged keypad machine to get access to debit-card and credit-card information at the store. The machines also were found at four other Stop & Shops in Rhode Island and one in Seekonk. Citizens Bank has also issued new cards to the affected Coventry customers.

The four men: Mikael Stepanian, of Studio City; Arman Ter-Esayan, of Valley Glen; Gevork Baltadjian, of Winnetka; and Arutyun Shatarevyan, of Los Angeles; remain at the Adult Correctional Institutions. They are being held on bail pending a court hearing.

"Theirs was a particularly brazen scheme," Beth Givens, founder and director of the Privacy Rights Clearinghouse, wrote in an e-mail. "Why mug someone and steal her pocketbook when you can steal a machine that will give you hundreds if not thousands of shoppers' account information."

The incident, the latest in a series of data security breaches plaguing retailers, has spooked consumers in the area, some of whom are venting their frustrations.

"I can't believe this -- again," said Sharon Hanrahan, of Rehoboth. "It's just a great concern."

Hanrahan buys her groceries at the Stop & Shop in Seekonk where one of the devices was found. Although no customer accounts were affected at that store, she's rethinking how she uses her debit card.

"Absolutely -- I'm going think through that whole convenience [factor]," she said.

She may return to using cash when she shops, Hanrahan said.

"I really see myself going in that direction," she said.

The breach comes just weeks after a Massachusetts legislator introduced a bill that would change who pays when such incidents occur. Currently, banks typically foot the bill.

A Massachusetts legislator introduced a bill that would make merchants pay for the losses that arise when hackers breach their databases. Now, banks typically are the ones who reimburse people for debit-card and credit-ard losses. The banks often have insurance to cover their losses. The Massachusetts bill, if passed, would hold any company -- a merchant, bank or data processor -- financially liable if it operates the breached system.

The bill was introduced in the wake of a massive security breach reported in January by TJX Cos. Inc., the Framingham, Mass., company that owns T.J. Maxx, Bob's Stores and other retail chains.

Retailers and bankers in the Bay State are squaring off over the legislation.

"We strongly oppose it," said Jon B. Hurst, president of the Retail Association of Massachusetts. "This is essentially [another] way to collect a fee."

Retailers already pay a processing fee when customers use a credit card, he said, and banks have begun fining retailers if the merchants don't comply with the security standards in their contracts.

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, sees things differently.

"The current system is busted," he said. "The retailers who've complained about this legislation have only to look inward.

"If they would only protect their customer data they wouldn't have anything to worry about."

As to whether Stop & Shop, based in Quincy, Mass., should be responsible for the losses in Coventry, he considers it "a gray area," Spitzer said.

Even so, banks are tired of paying for the lapses of merchants, he said. It costs a bank from $5 to $20 just to reissue a new debit card.

"It can be a significant expense for that alone," Spitzer said. "If you're responsible for the breach you should be responsible for the cost."

The legislation as well as the incidents at Stop & Shop and TJX are expected to be topics at a bankers' conference later this month.

The New England Debit Card Fraud Task Force, a consortium of state banking associations, will hold its third annual conference in Westboro, Mass., on March 19.

Copyright (c) 2007, The Providence Journal, R.I. Distributed by McClatchy-Tribune Business News.