Thieves pinched the credit card data for hundreds of attendees of two conferences held in Boston, a city in the US state of Massachusetts, this past autumn.
The Boston Globe said on Wednesday that victims have reported fraudulent purchases made on their accounts around the US and overseas.
It's unclear how the thieves got the card numbers, although many victims said they used their credit cards in Boston restaurants and businesses - particularly in the Seaport District, where the Boston Convention & Exhibition Center that they were attending is located.
Georges Benjamin, executive director of the American Public Health Association, told the Boston Globe that this is the first time his group has experienced such a thing.
The group hosted 13,000 convention-goers in early November, out of which, so far, 100 have reported that fraud was carried out on their accounts.
In one case, a crook tried to make a $100,000 purchase on one of the accounts.
Another 200 people reported unauthorized charges after attending the annual conference of the American Society of Human Genetics, which hosted 8,000 attendees at the convention center in October.
The Boston businesses that could prove to be the weak spot have claimed that they're not the source of the breach.
For its part, the public authority that runs the convention center - Massachusetts Convention Center Authority (MCCA) - said that the data breach didn't happen inside the convention hall.
MCAA spokesman Mac Daniel said in a statement seen by the Boston Globe that the authority began investigating around Thanksgiving after having received complaints from the two conference groups and at this point has concluded that the breaches didn't happen at its facility:
After running internal checks and working with our customers, we found that no alleged theft occurred in any MCCA facility and appeared to occur at bars and restaurants across the city.
James E. Rooney, Executive Director of the MCCA, said in a statement that seven of its own employees were also victimized in the breach.
The general manager of a hotel connected to the convention center that hosted many attendees, the Westin Boston Waterfront Hotel, also told the Boston Globe that the breaches hadn't originated in its systems.
A spokeswoman for the Briar Group, which owns M.J. O'Connor's Restaurant as well as City Bar inside the Westin, told the Boston Globe that its security consultants hadn't detected any system problems and that the company complies with security standards as outlined by the payment card industry.
So, at the moment, it's unclear where the source of the data breach is.
Let's hope it turns up soon so no one else falls victim.Follow @NakedSecurity