A local credit card breach has affected several dozen people who recently used their credit and debit cards at a Vincent-area gas station and those numbers could climb much higher.
Suspicious charges connected to cards swiped at Hickory Grove, a gas station and grocery store along Ohio 339, have been traced back to at least a month ago. While close to 100 people have already reported fraudulent charges, that number could climb as high as 200 or 300 as more people begin to discover the charges and the thieves continue to use card information stolen more recently, said Detective Sgt. Scott Parks of the Washington County Sheriff's Office.
"If you think that you're a victim, contact the sheriff's office," stressed Parks.
Parks also advised that those who have used their card at the store recently should diligently check statements and consider asking for a new card to be issued.
Hickory Grove Assistant Manager Morgan Staley said the store immediately stopped accepting credit and debit cards when they were made aware of the problem Friday.
"We're looking at other options to prevent future problems. We put up signs all over our store, posted a thing on Facebook. We're trying to make as much of a widespread awareness as we are able to do," he said.
About the breach
Nearly 100 area residents have reported falsified charges on their credit and debit cards and more victims are likely.
The card information appears to have been stolen through a network intrusion at Hickory Grove, a Vincent-area gas station and grocery store, over the past month.
The breach possibly happened through the Kentucky-based credit card processing company Hickory Grove uses.
Hickory Grove has ceased taking credit and debit cards while the issue is resolved and is warning customers to keep a close eye on bank statements and to cancel cards if anything suspicious appears.
The card information has been used to create new fake credit cards, which have been used in multiple other states.
Thousands of dollars in fraudulent charges have been connected to the breach, but security measures in place through banks and credit card companies will reimburse most, if not all of the fraudulent charges.
Source: Times research.
The store handles approximately 21,000 transactions a month, though many of those are likely from duplicate customers, noted Staley.
He added that the store was appreciative of the Washington County Sheriff's Office bringing the breach to their attention.
In any case, the breach does not appear to have happened locally, said Parks. Multiple credit card machines, both at the pump and inside the store, were affected. That diminishes the likelihood that a piece of physical equipment was used to hack the card information, he said.
Rather, it appears the information from the magnetic strips of cards was stolen through a network intrusion, similar to that which compromised the credit and debit cards of millions of Target shoppers late last year, said Parks.
"These card numbers weren't just stolen. There were other cards made using this information," he said.
Duplicates of local cards have been reported used in California, Florida, Texas, Illinois, New York, Georgia and North Carolina, he said.
Because of the scope of the crime and its expertise, the United States Secret Service has been contacted to assist with the investigation, said Parks.
The breach did not target a specific bank's customers. Customers from WesBanco, Williamstown National Bank, Belpre Savings Bank, Citizens Bank and United Bank have reported false charges.
WesBanco market president Joe Campbell said only a handful of WesBanco's customers have reported fake charges.
"We have advised all of our branches just to be on the lookout and let us know if they have other cards that pop up (as compromised) or other customers reporting it," he said.
Campbell said many credit card providers have security measures in place that will notify users quickly when suspicious charges occur.
However, these companies will never ask for a person's pin number, social security number or date of birth, he warned.
"Legitimate security companies won't ask for any of those numbers," said Campbell.
Furthermore, card users can rest somewhat easier as they are not held responsible for fraudulent charges, he said.
"Even if they do get used, the customers have an appeal process to come back in and get their money back if a card has been compromised," he said.
So far, the largest single transaction made on a fake card is around $400, said Parks. However, hundreds of small transactions have easily added up to thousands of dollars stolen.
The problem is not likely anything the store or the banks could have prevented, added Parks.
It is possible the data was hacked not directly through the store, but rather through their Kentucky-based credit card processing service, said Parks.
If that is the case, it is possible other companies using that service across the United States have also been affected.