Created: 10/23/2013 10:13 PM
By: Caleb James, KOB Eyewitness News 4
Most modern American companies go to great lengths to protect your financial information.
Still, data breaches do happen, and that means your credit card information may be vulnerable.
KOB Eyewitness News 4 learned the really interesting part is, banks don't have to tell you where your information got compromised.
Many banks and credit card companies are in agreements with merchants not to say where compromises occur.
"I put my card in, and it said, 'see attendant'" said Joe Volza. "Then tried it again, cause I'm like, 'Oh you know sometimes it doesn't read right away or something.'"
Volza was far from home -- in Texas when his debit card got declined twice at a gas station.
"The bank said there was a compromise, or a security breach with one of their merchants."
Volza considered himself lucky. His bank had protected him.
"This is what I was sent in the mail," said Volza, showing a new debit card from his bank.
Volza got a new card in the mail -- one he later realized was already on its way to his Albuquerque home before his card was declined in Texas. But Volza said his bank never told him which merchant compromised his data. That's because, they don't have to.
In 2012, many Bank of America Visa cards were compromised by a merchant.
On the bank's website there's a "Data Compromise FAQ" section.
Under one bullet point it says, 'We are unable to provide the name of the merchant or where the data breach has occurred."
We asked viewers on our Facebook page if anyone else had gotten the random replacement card with a vague explanation and got dozens of responses.
Watchdog groups like the Public Interest Research Group want the culprits of data breaches to be identified. Volza agrees.
"I'm surprised that merchants, or that banks don't have to report it," he said.
It affects more people than you might think: according to the Privacy Rights Clearinghouse, nearly 3,000 U.S. businesses are known to have experienced security breaches since 2005.
What do you think? Should banks be required to reveal where a breach occurred?