The Walmart MoneyCard hacker strikes again: Cardholders from across the U.S. see their hacked cards drained at NYC Target stores

originally published at ConsumerAffairs

UPDATE, Oct. 15: Walmart and Green Dot have responded; their statements are at the end of this article.

Something criminally strange seems to be going on with Walmart MoneyCards, especially in New York City and its immediate suburbs, though any MoneyCard holder in America is apparently at risk.

Ever since September 2013, ConsumerAffairs has had sudden, periodic bursts of readers contacting us with very similar-sounding complaints: people from all over the United States say that not only were their MoneyCards hacked, but the hacker or hackers drained the money from those cards by spending them at a Target store in the New York metro area.

When we contacted Walmart media-relations staff for comment, they passed our request from person to person until we were told that Walmart couldn’t comment on the matter, but a representative of Green Dot bank would definitely email us by end-of-business next day. That was five days ago.

We first reported this MoneyCard-hacking trend on Sept. 16 of last year: in less than a two-week period, MoneyCard holders living in California, Missouri and Ohio all told us that somebody hacked their cards and spent the money at a Target in New York.

No information

Then, in March 2014, we got an email from a Virginia woman who wrote: “I have come across your article about Wal-Mart Money Cards being hacked because unfortunately I was a victim this week. Other than your article I have not been able to find any information pertaining to hackers making purchases in New York.”

Her story contained an additional detail which the earlier “MoneyCard hacked and spent at a New York Target” stories didn’t have: before emptying her MoneyCard account down to the last penny at a Target store in Mount Vernon (which borders the New York City borough of the Bronx), the hacker posted a $250 credit, followed almost immediately by a $250 debit, at a motel in Florida.

Six months later, that March story still gets fresh comments posted on it. In September, Ann R. shared this:

This JUST happened to us! Went to check our balance and it was 0. They added money, $500, took it off, added again, took that out along with some of our money and than cleared us out at a Target store in Flushing NY!

And here’s what Jennifer from Arkansas wrote on Oct. 4:

Just happened to my husbands card today. WE HAVE 7 KIDS TO FEED and now no money to do so. It was his entire DD paycheck of 1100.00. Walmart told us the same thing. Wait until it posts and then we can make a complaint. BE CAREFUL PEOPLE nothing has changed and the TARGET in the BRONX New York is getting major cash!!!

F. M. in Indiana posted this on Oct. 10:

We just got our paycheck today direct deposited on the card and within hours received credit from Ashely, OH from some Erik guy and then reversals and then later the full amount of $414.27 was taken from Target in Bronx, NY….I live in Indiana and have NEVER shopped at Target so how in the hell did they get our information? …. it could take a month or longer before we see any kind of money again and we have a family of 6 to feed!!!

And late last night, Joshua B. posted a much shorter version of the same complaint:

Just got me for $852. Target store in the bronx

Wiped our account clean

In addition to such publicly posted comments, we’ve received similar stories in emails. Last Tuesday, a man named Chris wrote us to say: “This past Saturday we found out someone got our card number and wiped our account clean. My wife was doing research on the internet and came across an article you wrote …. The stories in the article are exactly what happened to us. We live in Texas and someone used our number to make a purchase at a Target store in New York.”

Specifically, a store in Valley Stream (a suburb on Long Island, which borders the New York City borough of Queens). And Chris’ card also had a fraudulent credit-then-debit transaction in a completely different state, shortly before the card’s funds were drained at a New York City-area Target:

The first transactions were made from SQ, Dennis Smith from Smithsburg, MD. Listed as service provider. They added $200 then took $500 then took $200 then added $600 then added $500 then took $600 which brought it to the original balance of $670.56 which they then made a transaction for that exact amount at Target. I’m guessing the reason they add then subtract money is somehow a way for them to find out what the actual balance is then they make the purchase.

Few common elements

So here’s what we know: it appears that for at least 13 months now, a person or group presumably in New York City or subway range thereof has been able to periodically hack into a handful of Walmart MoneyCard accounts from around the country. None of the cardholders appear to share a common point of purchase (although we haven’t been able to see the completelegitimate-transaction records for every account). Nor do the victims have geography in common: people living from the West Coast to the East Coast and various states in between have all reported cards drained at a Target store in New York.

The only thing these people all seem to have in common is their status as Walmart MoneyCard holders – yet despite this, there’s no evidence suggesting that the hackers managed to break into the actual MoneyCard database. (Or perhaps it’s more accurate to say: if the hackers did get these numbers by breaking into the database, we’d expect to hear a lot more people complaining that their accounts were drained. Yet for all the news stories you see nowadays on the theme “Major corporate database hacked; millions of customers’ info stolen,” so far there’s been no such warning regarding Walmart MoneyCards.)

What to do

If you are a Walmart MoneyCard holder whose account has been hacked, Walmart’s online cardholder agreement says that you must:

Tell us AT ONCE if you believe your Walmart MoneyCard or PIN has been lost or stolen. Calling is the best way of notifying us. You will not lose any part of the money on your Walmart MoneyCard based on unauthorized use if you have exercised reasonable care in safeguarding your card and PIN from risk of loss or theft. However, if these conditions are NOT met, you could lose the lesser of $50 or the amount of unauthorized use from your Walmart MoneyCard before you notify us that your card has been lost or stolen. If you believe your Walmart MoneyCard or PIN has been lost or stolen, report it online at walmartmoneycard.com or call (877) 937-4098, or write to Our Mail Address.

For what it’s worth: hacked MoneyCard holders who promptly follow Walmart’s instructions are likely to get their stolen money back – eventually. Unfortunately, low-income or low-asset hacker victims living paycheck to paycheck might find it very difficult to pay their bills or buy groceries in the meanwhile.

Companies respond

UPDATE: Oct. 15: After publication, Walmart and Green Dot representatives e-mailed us the following responses:

From Walmart:

We take these matters very seriously. Our partner, Green Dot Bank, works hard every day to ensure Walmart MoneyCard holders are protected. It’s important to note that Walmart’s systems have not been compromised.

From Green Dot Bank:

Fraudulent transactions occurring on a compromised debit or credit card is, unfortunately, an increasingly common occurrence for customers of all banks and credit unions, especially in light of numerous recent high-profile data compromises. It’s important to note that Green Dot brand Prepaid cards and Walmart MoneyCard brand prepaid cards are issued by Green Dot Bank and, as such, these customers are covered by Regulation “E” dispute and error resolution protection. This means that Green Dot Bank will reimburse its customers money lost as a result of fraud. Customers should immediately report any suspected fraud to the bank issuer of their particular card.