LEWISTON — The Maine State Computer Crimes Unit is investigating the theft of credit and debit card numbers used to make purchases at Day’s Jewelers stores.
No one is saying how the data was hacked.
Maine State Police Detective Laurie Northrup declined to release details about the case Tuesday, saying only that the Waterville-based jeweler is cooperating fully.
The theft appears limited to customers who made purchases in one of the chain’s six stores during November and December, the Maine Credit Union League said in a release. Day’s Jewelers has stores in Auburn, Bangor, Brunswick, South Portland, Waterville and Manchester, N.H.
The league said more than 1,000 credit union members in Maine who made purchases at Day’s stores have had fraudulent activity on their cards. The figure is only for cards issued by Maine credit unions and doesn’t include those issued by commercial banks, credit card companies and other financial institutions.
“We know based on talks with individual credit unions that the number of people impacted is over 1,000 and it’s likely over 2,000,” said John Murphy, credit union league president. “But you don’t really know until a little time passes the total number of folks impacted.”
Online orders were not affected, the jeweler said in a statement released Tuesday afternoon.
“We apologize for any concerns this may raise with our customers,” said Day’s President Jeff Corey. “We are talking directly with any consumer who may have questions or concerns.”
The theft was noticed when a rash of international transactions set off warnings with local banks, said Chris Pinkham, president of the Maine Bankers’ Association.
People who routinely buy gas and groceries in Portland and Bangor suddenly had transactions in India or elsewhere, Pinkham said. When that happens, accounts are red-flagged.
Banks throughout the area were affected, Pinkham said. They began issuing phone and mail alerts to affected customers late last week.
“We had notification of approximately 85 accounts and we promptly took steps to protect all the affected customers,” said Chris Delamater, a spokesman for Lewiston-based Northeast Bank. “Those affected cards were closed and new ones were issued.”
Federal law protects private consumers who make purchases using their credit cards and debit cards. In most cases, stolen money is replaced by the banks, Pinkham said.
Investigators told Day’s Jewelers that the theft involved hackers from outside the company, according to the release.
The jeweler has hired a computer forensics team to help uncover what happened and define the scope of the theft.
The company’s initial investigation found no evidence that customers’ personal information was stolen, the release said.
“These are not casual hackers,” Pinkham said. But the theft was small compared to the attack that hit Hannaford in late 2007 and early 2008. In that case, as many as 4.2 million card numbers were exposed to thieves.
The Maine Bankers’ Association and the Maine Credit Union League are encouraging people to check their accounts on a regular basis and report any unusual charges or activity.