Theft at Target leads Citi to replace debit cards

Nathaniel Popper

Citibank plans to reissue all customer debit cards involved in the data breach at Target, making it the second major bank to do so since the attack was disclosed last month.

The bank did not replace the debit cards sooner because it wanted to minimize disruptions during the holiday shopping season, according to a person briefed on the company's decision who spoke on the condition of anonymity. It will begin sending out new cards soon.

(Read more: JPMorgan limits debit cards used at Target)

Adam Jeffery | CNBC

Target initially said that card information from 40 million customers was stolen between late November and mid-December when its in-store network was hacked.

Last week, the company revised its damage estimate to include other systems, which stored the personal data of 70 million more customers, with possible overlap, including people who may not have shopped at Target recently. Experts say it was one of the largest thefts of consumer data.

Citi said its decision this week was not motivated by any new surge of fraud or by additional information on the breach but was a precautionary measure. Still, Citi's move highlighted the potential for continuing damage to consumers, banks and Target as data stolen in the breach may keep leaking into the black market.

(

Neiman Marcus also disclosed late last week that its systems had been breached, although it has not revealed how widespread the theft was.

Dems call for answers from Target

JPMorgan Chase took a step similar to Citi's just a few days after the data breach was made public in December. JPMorgan ultimately replaced two million of its 23 million debit cards. Neither JPMorgan nor Citi is conducting a wholesale reissue of credit cards, which are harder to defraud quickly.

Target initially said that the PINs from debit cards had not been taken, but it later admitted that encrypted PIN data had been involved. The company said it thought the PINs were still "safe and secure."

(Read more: Target: Stolen information involved at least 70 million people)

Banks are generally responsible for charges made on stolen credit cards, but debit card users do not have the same protections and can be responsible for up to $500 in losses depending on when they report the fraud.

More from New York Times:

Better Hearing Through Bluetooth
Goodnight. Sleep Clean.
A Busy Doctor's Right Hand, Ever Ready to Type

Federal authorities, including the Secret Service, are investigating the thefts, which included consumer information like names, mailing and email addresses and other financial data.

The major consumer banks have been taking slightly different approaches in their responses to the Target breach. The other three consumer banks among the nation's five largest — Bank of America, Wells Fargo and U.S. Bank — have said they are carefully watching cards for signs of fraud, but they have not broadly reissued debit or credit cards.