Theft of Credit Card Info from Polo Ralph Lauren Hits Thousands

Breach affects 180,000 Mastercard holders; breach was first known about in January


NEW YORK (AP) - Data apparently stolen from the popular clothing retailer Polo Ralph Lauren Inc. is forcing banks and credit card issuers to notify thousands of consumers that their credit-card information may have been exposed.

HSBC North America, a division of London-based HSBC Holdings PLC, has begun notifying holders of the HSBC-issued, General Motors-branded MasterCard that criminals may have obtained access to their credit card information and that the cards should be replaced.

HSBC spokesman Stephen E. Cohen said Thursday that "we began doing it last week, and we are continuing." He said that about 180,000 GM-branded card holders are affected.

Neither Cohen nor spokesmen for MasterCard International would identify the retailer by name.

The security breach was reported in Thursday's editions of The Wall Street Journal, which quoted "people with knowledge of the matter" as saying the data was stolen at Polo Ralph Lauren.

Phone calls to Polo Ralph Lauren, which is headquartered in New York, were not immediately returned.

It was unclear how many other cards might be at risk, but both Visa USA Inc. and MasterCard were reported to be dealing with Polo Ralph Lauren on the matter.

MasterCard said in a statement that it was informed of a possible security breach "of transaction data associated with a U.S.-based retailer" in January 2005 and had launched an investigation immediately. The statement said banks that are members of the card association were notified.

HSBC's Cohen said the bank did not yet know if the thieves had used any of the data they got.

"We're being cautious, and we want to protect our customers' accounts, so we're notifying them," he said.

It was the latest in a series of data thefts in the United States that have increased public concern about the security of their personal information.

ChoicePoint Inc., which is based in suburban Atlanta, disclosed in February that thieves, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on some 145,000 consumers nationwide. Authorities said some 750 people were defrauded.