March 14, 2006 4:27 PM PST

OfficeMax: No evidence of security breach

Following an extensive review of its security systems, OfficeMax says it has no reason to believe it was the company that suffered the data breach that resulted in thousands of cases of debit card fraud.

On Tuesday, the office-supply chain said that an independent study by a security expert found no indication that the company's customer information was lost. An internal investigation came to the same conclusion.

"OfficeMax takes the security of our customers' information with the utmost seriousness and is committed to protecting private customer information," the company said in a statement. "As we have stated consistently, we have no knowledge of a security breach at OfficeMax."

But the company wouldn't explain why it was still involved in the investigation into the debit card thefts.

"OfficeMax continues to work with the United States Secret Service and other federal law enforcement agencies in their investigation of ATM fraud," the company said.

Debit card holders from San Francisco to Pittsburgh to Boston have reported cash was seized from their accounts via fraudulent withdrawals. Visa and MasterCard have said a merchant had suffered a data theft but wouldn't identify the company.

During the past two weeks, law enforcement officials have noted that their investigations revealed that many of the fraud victims were OfficeMax shoppers.

On Monday, Hudson County Prosecutor Edward DeFazio said his office had arrested 14 people in connection with the nationwide crime wave involving debit cards. In an interview with CNET, DeFazio identified OfficeMax as among the victims of data theft. He said other companies were also ripped off.

OfficeMax has said it has "not received information from any third party concluding" that it suffered a breach.

See more CNET content tagged:
OfficeMax Inc., debit card, security breach, investigation, security


Join the conversation!
Add your comment
Why Retain a PIN?
Maybe someone should ask Office Max why they were even storing customer's debit card PIN information? I have read where even customers of their brick and mortar stores were affected.
Posted by tbsteph (62 comments )
Reply Link Flag
Cheaper processing ...
In the US, you can either do real time credit card authorization or you can batch the requests and then process them either in blocks or after hours at a reduced cost to the retailer.

So the retailer has to determine how much risk there is in a retail purchase to determine how fast to process the card.

To put this in real terms, if the average purchase is under $50.00, it makes sense for a retailer to wait. Especially if the purchaser is a repeat customer. (The odds/risk of a fradulent purchase are low...)

If someone wants to purchase a $1,500 (USD) computer or some other big ticket item, then the risk outweighs the cost and the credit card verification is done in real time.

With respect to internet/brick and mortar sales, its the same system in most cases, therefore the risk is
Posted by dargon19888 (412 comments )
Link Flag
No Evidence??? Like what do you expect?
Not to pick on OfficeMax, but lets face it. Just because you can't find any trace of a break in, doesn't mean that it didn't occur.

Without knowing something about OfficeMax and their set up, there are several vectors of attacks that could occur and unless OfficeMax were to maintain extensive logfiles, it would be difficult to track down where they were penetrated.

Add to the possibility that they waited a couple of months prior to exploiting the stolen credit cards, and your log files are probably gone.

The scary part... Office Max isn't alone. There are other potential targets...
Posted by dargon19888 (412 comments )
Reply Link Flag
Investigating a Security Breach
It is next to impossible to prove a computer system was not compromised. The average time from breach to discovery is around 2 years.
Posted by 4KGColeman (1 comment )
Reply Link Flag
I was contacted by my bank's fraud department yesterday and questioned about charges being made on my debit card in Illinois. Of course, I'm many miles away at home and someone is using my debit card to buy groceries, liquor, jewelry, and other items locally in Illinois. Interestingly enough, I recently made an online purchase from Office Max for my first and last time. I just happened to notice that the Office Max online purchase on my statement reflects an Illinois address. I shared this information with my bank and then decided to google office max fraud and found this. I'm so careful with banking information that the fraud department had a difficult time getting me to confirm my personal information to verify my account...and I readily gave it to Office Max to make an online purchase. Too coincidential for me!
Posted by ljm1958 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.