Polo Ralph Lauren hit by credit-card hackers

NEW YORK — Data apparently stolen from the popular clothing retailer Polo Ralph Lauren is forcing banks and credit-card issuers to notify thousands of consumers that their credit-card information may have been exposed.

HSBC North America, a division of London-based HSBC Holdings, has begun notifying holders of the HSBC-issued, General Motors-branded MasterCard that criminals may have obtained access to their credit-card information and that the cards should be replaced.

Spokesman Stephen Cohen said notification began last week and is continuing. About 180,000 GM-branded card holders are affected, he said.

Neither Cohen nor spokesmen for MasterCard International would identify the retailer.

The security breach was reported in yesterday's editions of The Wall Street Journal.

Polo Ralph Lauren said late last night it had learned in the fall that some of its customers' credit-card information "may have been misappropriated."

It said certain information may have been retained and stored in point-of-sale software. The company said it took steps immediately to purge the information and "is confident that its credit-card system is secure."

Polo Ralph Lauren shares dropped $1.28, or 3.3 percent, to close at $37.18 in trading yesterday on the New York Stock Exchange. They have traded in a 52-week range of $31.01 to $42.83.

It was unclear how many other cards might be at risk, but both Visa USA and MasterCard — the nation's largest credit-card associations — were reported to be dealing with Polo Ralph Lauren on the matter.

MasterCard said it was informed of a possible security breach "of transaction data associated with a U.S.-based retailer" in January and had launched an investigation immediately. The statement said banks that are members of the card association were notified.

"Investigations into this incident by MasterCard, law enforcement and other parties are ongoing," the statement said.

Visa USA issued a similar statement, saying it was notified "by a U.S. merchant" of a possible security breach. Visa USA said it was working with the merchant, law-enforcement agencies and its bank members "to monitor and prevent card-related fraud."

It was the latest in a series of data thefts that have increased public concern about the security of personal information.

ChoicePoint, based near Atlanta, disclosed in February that thieves, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on some 145,000 consumers nationwide. Authorities said some 750 people were defrauded.

In March, DSW Shoe Warehouse, based in Columbus, Ohio, said that more than 100,000 customers of a shoe-store chain likely were affected by a database cyber-break-in.

Earlier this week, London-based Reed Elsevier, which owns LexisNexis, revealed that criminals may have breached computer files containing the personal information of 310,000 people since January 2003.

HSBC's Cohen said the bank did not know if the thieves had used any of the stolen data.

"We're being cautious and we want to protect our customers' accounts, so we're notifying them," he said.

Information from Reuters is included

in this report.