A handful of people who receive child support through the State of Wisconsin had money stolen from their debit accounts after Target's data breach last year.
Joe Scialfa, a spokesman for the Wisconsin Department of Children and Families, said nearly 4,000 debit cards belonging to people who receive child support from Wisconsin were compromised in the breach.
The department's role is to facilitate child support payments; in essence, it is the pass-through agency. The state collects child support from the payers and distributes it to payees, either through direct bank deposits or debit card accounts.
About 100,000 child support recipients have EPPIC debit card accounts. The 3,998 compromised cards were used at Target stores during the time frame of the Target breach, and were replaced "as a proactive measure," Scialfa said.
The Target breach took place between approximately Nov. 27 and Dec. 18, 2013, and affected 40 million debit and credit card accounts nationwide.
Target CIO Resigns
Following the massive security breach that is thought to have affected as many os 110 million U.S. residents, Target CIO Beth Jacob resigned on March 5, PC World reported. She had been the company's CIO since 2008, and was previously its director of guest contact centers and VO of guest operations.
EPPIC, the company that manages the debit MasterCards for the state, issued new cards to all affected cardholders Jan. 9 and contacted them by letter and by phone to let them know new cards were issued, Scialfa said.
Former Milwaukee resident Anita Lichtenberger, who now lives in Massachusetts, said she found out she'd been a victim in January when she made a routine call to EPPIC to find out the balance on her card. Instead of the normal automated system that tells her the balance, she was transferred to an EPPIC rep, who informed her that $3,597 was stolen from her account through an ATM overseas on Jan. 6.
"The person I was transferred to said, 'There have been several transactions on your card in London, England. They took three withdrawals for approximately $1,300 each,'" she told the Public Investigator this week. "I was freaked out."
Lichtenberger said she was told she'd be mailed a fraud questionnaire that she needed to fill out and mail back to EPPIC. If the form was completed within 10 days of her call, she'd get a provisional refund to her account. Lichtenberger said she's still waiting for that refund.
Lichtenberger and state officials disagree on whether she responded fast enough to qualify for that refund. She said she first called EPPIC on Jan. 9, but that the company didn't mail her the form until after Jan. 20.
Scialfa said Lichtenberger first called EPPIC Jan. 20 and didn't mail back the form within 10 days of that date, which is a prerequisite for getting a provisional refund.
He said EPPIC received Lichtenberger's completed questionnaire Feb. 25, three weeks after her deadline.
Because Lichtenberger "wasn't very proactive," she may have to wait up to 90 days for EPPIC to complete its international fraud investigation before getting her money back, he said.
"I wish we could do something about it, but that is how the procedures work," he said.
Scialfa said of the 3,998 EPPIC accounts affected by the breach, the state was informed there were "a handful of confirmed cases" in which money was stolen. He did not have information on how much money was stolen.
He said EPPIC worked with victims in those cases to make them whole as quickly as possible. He said Lichtenberger was the first victim he heard of who had any problems getting money back.
"Though this is troubling for the individual, this is not an example of a systemic problem," Scialfa said. "This is an example of someone who, unfortunately, didn't do things the way they needed to be done in a timely manner to get a provisional credit, which was offered to people. The investigation has to play out now to find out if she was a victim of fraud or not. Then she'll be made whole."
He said EPPIC didn't have to offer a temporary credit.
"EPPIC even went so far as to offer provisional credit to people who returned needed paperwork within 10 business days of their initial report of suspected fraud to EPPIC, despite the fact that they were under no obligation to do so," he wrote in an email.
Federal law generally offers more protection for fraud on credit cards than for debit cards, according to the Federal Deposit Insurance Corporation. Under the Truth in Lending Act, a credit card holder's liability for unauthorized charges is capped at $50. But under the Electronic Fund Transfer Act, the liability of a debit card holder is capped at $50 only if the person notifies the bank of any unauthorized charges within two business days.
With transaction errors on debit cards, banks can take up to 90 days to investigate but generally have to temporarily credit the consumer's account for the error amount pending the outcome of the review, according to the FDIC.
According to a notice on the Wisconsin Department of Children and Families website, EPPIC was able to reach 3,000 of the nearly 4,000 cardholders to notify them of the breach affecting their cards and the spending restrictions imposed.
Scialfa said more than 3,000 replacement cards were sent out and that "only a small percentage" of them have not yet been activated. He said until Lichtenberger, no one expressed any concerns related to the breach or EPPIC's efforts to help victims.
Scialfa said anybody who receives child support payments through the Wisconsin child support system and has security concerns can choose to have money direct deposited into his or her bank account.
EPPIC cardholders who believe they're victims of fraud or have questions should call EPPIC's customer service center at (877) 253-3686.
©2014 the Milwaukee Journal Sentinel