HSBC North America, a division of London-based HSBC Holdings PLC, has begun notifying holders of the HSBC-issued, General Motors-branded MasterCard that criminals may have obtained access to their credit card information and that the cards should be replaced.
HSBC spokesman Stephen E. Cohen said Thursday that "we began doing it last week, and we are continuing."
He said that about 180,000 GM-branded card holders are affected.
Neither Cohen nor spokesmen for MasterCard International would identify the retailer by name.
The security breach was reported in Thursday's editions of The Wall Street Journal, which quoted "people with knowledge of the matter" as saying the data was stolen at Polo Ralph Lauren.
A spokeswoman at Polo Ralph Lauren, which is headquartered in New York, said "we have no comment at the moment" on the report. She asked that her name not be used.
It was unclear how many other cards might be at risk, but both Visa USA Inc. and MasterCard — the nation's largest credit card associations — were reported to be dealing with Polo Ralph Lauren on the matter.
MasterCard said in a statement that it was informed of a possible security breach "of transaction data associated with a U.S.-based retailer" in January 2005 and had launched an investigation immediately. The statement said banks that are members of the card association were notified.
"Investigations into this incident by MasterCard, law enforcement and other parties are ongoing," the statement said.
There was no immediate comment from Visa USA.
In response to a reporter's query, Citigroup Inc., the nation's largest financial institution, confirmed that it currently was "notifying some customers who we think may be at risk." The New York-based bank said it takes "appropriate action" when notified by Visa or MasterCard of potential security breaches, but gave no other details.
It was the latest in a series of data thefts that have increased public concern about the security of their personal information.
ChoicePoint Inc., which is based in suburban Atlanta, disclosed in February that thieves, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on some 145,000 consumers nationwide. Authorities said some 750 people were defrauded.
In March, DSW Shoe Warehouse, based in Columbus, Ohio, said that more than 100,000 customers of a shoe-store chain likely were affected by a cyber break-in of the company's database.
Earlier this week, London-based Reed Elsevier, which owns LexisNexis, revealed that criminals may have breached computer files containing the personal information of 310,000 people since January 2003.
HSBC's Cohen said the bank did not yet know if the thieves had used any of the data they got.
"We're being cautious, and we want to protect our customers' accounts, so we're notifying them," he said.