Thousands of Alaskans are getting new credit and debit cards in the mail this month after a malicious security breach at a Lower 48 company that processes millions of card purchases per month.

The data stolen from New Jersey-based Heartland Payment Systems appears to be limited to cardholder names, card numbers and card expiration dates, the company says.

Major banks and credit unions in Alaska said Tuesday that data belonging to thousands -- though not all -- of their Alaska customers was compromised.

About one-fifth of the cards belonging to First National Bank Alaska customers were breached, for example.

"We reissued every card that was on the compromised list," said Valerie Bale, First National's electronic banking manager.

Here's what apparently happened: Hackers planted software on Heartland's payment processing system that harvested magnetic strip data from millions of card transactions. The company says the breach began last May. More than 250,000 merchants use Heartland to process their transactions. The company declined to identify the merchants.

Heartland said it began investigating the matter late last year after two major credit card companies -- Visa and Mastercard -- began noticing fraudulent charges on cards that had been swiped at Heartland's merchants.

After Heartland announced the data breach on Jan. 20, many credit unions and several banks in Alaska began issuing new cards and cancelling the old cards for every customer whose private data had been breached.

For example:

• Alaska USA Federal Credit Union reissued 64,000 debit cards and 6,000 credit cards to customers in Alaska and western Washington state.

• First National Bank Alaska reissued 1,150 credit cards and 7,000 debit cards.

• Credit Union 1 reissued 1,121 credit cards and 7,135 debit cards.

• Denali Alaskan Federal Credit Union reissued more than 5,000 credit and debit cards.

Alaska USA and First National said they or their customers have noticed suspicious activity on a few of the cards that were breached, but they said their customers will have "zero liability" for any fraudulent charges.

Heartland says no Social Security numbers, PIN numbers, addresses or telephone numbers were stolen as the result of the breach.

Wells Fargo Bank, Northrim and KeyBank officials wouldn't say how many cards they've reissued due to the security breach.

Unlike other banks and credit unions in Alaska, KeyBank isn't notifying customers whose card data may have been breached unless the bank notices suspicious activity on those accounts.

Instead, "We have ramped up our fraud monitoring," said Anne Foster, a regional spokeswoman for KeyBank, which has 17 branches in Alaska.

She said KeyBank will reissue cards to customers who request it, and will immediately notify customers of any suspicious charges, but the company is trying to avoid customer anxiety and extra expense to people who haven't actually been harmed. So far, there's no evidence that KeyBank customers' card data has been used fraudulently as a result of the breach, she said.

KeyBank is the primary sponsor bank for Heartland. That means that KeyBank registers Heartland with Visa and Mastercard to provide payment processing services. Heartland must have a sponsor bank in order to do business with Visa and MasterCard.

The data breach has been expensive, local banks and credit unions said.

It costs about $5 to reissue a single credit or debit card, estimated Bale, the electronic banking manager for First National.

That doesn't include all the staff time that has been diverted to researching the breached accounts and the inconvenience created for customers who had to get a new card, said Blythe Campbell, Northrim's marketing manager.

"It's maddening," she said.

Find Elizabeth Bluemink online at adn.com/contact/ebluemink or call 257-4317.

ADVERTISEMENT