Identity thieves apparently hit clothing retailer

About 180,000 users of credit cards affected

Associated Press

April 15, 2005

NEW YORK - The apparent theft of data from the popular clothing retailer Polo Ralph Lauren Corp. is forcing banks and credit card issuers to notify thousands of consumers that their credit card information might have been exposed.

HSBC North America, a division of London-based HSBC Holdings PLC, has begun notifying holders of the HSBC-issued, General Motors-brand MasterCard that criminals might have obtained access to their credit card information and that the cards should be replaced.

HSBC spokesman Stephen E. Cohen said yesterday that "we began doing it last week, and we are continuing." He said about 180,000 holders of GM-brand cards are affected.

Neither Cohen nor spokesmen for MasterCard International would identify the retailer by name.

The security breach was reported by news outlets Wednesday. Yesterday's Wall Street Journal quoted "people with knowledge of the matter" as saying that the information was stolen from Polo Ralph Lauren.

A spokeswoman at Polo Ralph Lauren, which is based in New York, declined to comment.

Polo Ralph Lauren shares dropped $1.28, or 3.3 percent, to close at $37.18 yesterday on the New York Stock Exchange.

It was unclear how many other cards might be imperiled, but Visa USA Inc. and MasterCard - the nation's largest credit card associations - were reported to be dealing with Polo Ralph Lauren on the matter.

MasterCard said it was informed of a possible security breach "of transaction data associated with a U.S.-based retailer" in January and had immediately begun an investigation. It said banks that are members of the card association were notified and that "investigations into this incident by MasterCard, law enforcement and other parties are ongoing."

Visa USA issued a similar statement, saying it was notified "by a U.S. merchant" of a possible data security breach. Visa USA said it was working with the merchant, law enforcement agencies and its bank members "to monitor and prevent card-related fraud."

In response to a reporter's query, Citigroup Inc., the nation's largest financial institution, confirmed that it is "notifying some customers who we think may be at risk." The New York-based bank said it takes "appropriate action" when notified by Visa or MasterCard of potential security breaches but gave no other details.

It was the latest in a series of data thefts that have increased public concern about the security of their personal information.

ChoicePoint Inc., based in suburban Atlanta, disclosed in February that thieves, who operated undetected for more than a year, opened 50 accounts and received vast amounts of data on some 145,000 consumers nationwide. Authorities said some 750 people were defrauded.

In March, DSW Shoe Warehouse, based in Columbus, Ohio, said more than 100,000 customers probably were affected by a break-in of the company's database.

This week, London-based Reed Elsevier, which owns Lexis Nexis, revealed that criminals might have breached computer files containing the personal information of 310,000 people since January 2003.

HSBC's Cohen said the bank did not know whether the thieves had used any of the stolen data.

"We're being cautious, and we want to protect our customers' accounts, so we're notifying them," he said.