But the company, based in Natick, Mass., now faces claims from some of the 10 to 15 banks that had to replace cards or reimburse consumers for fraudulent transactions. Investigators and bank officials have declined to disclose the monetary losses.

As sensitive data about consumers — not just credit card numbers but also buying habits and other personal information — are recorded in databases, the potential for identity theft on a massive scale is increasing.

Last week, three men pleaded guilty in North Carolina to charges they conspired to hack into the Lowe's home improvement chain's data network to steal credit card information. Lowe's officials said the men failed to get into the company's national database.

In another case involving a mother lode of data, a Florida man was charged last month with stealing large amounts of consumer information from database aggregator Acxiom Corp. — the second such hack of Acxiom files revealed in the past year. Prosecutors say the stolen data was not used for identity fraud but to distribute ads via an e-mail business the man runs.

Such thefts raise costs for credit card issuers, which typically cover most losses from fraudulent transactions and limit liability to merchants. The problem is a moving target because thieves are creating increasingly sophisticated criminal networks with global reach.

"However they find the numbers, they end up on some computer bulletin board and are sold," said Buckley.

Lawmakers are responding. A federal law signed July 15 increases criminal penalties and eases the burden of proof prosecutors must meet to win convictions in identity theft cases.

The law also establishes a new crime of aggravated identity theft and sets stiffer punishment guidelines for cases originating from information stolen in a workplace.

A Michigan State University study to be published later this year found as many as 70 percent of all identity theft cases originate with information stolen in a workplace, rather than through hacker intrusions, home robberies or mail fraud.

The study's author, Judith Collins, an MSU criminal justice professor, said the tougher sentencing the new federal law requires is a move in the right direction.

"But it does nothing to pre-empt identity theft," she said.

A California law that took effect last year holds merchants more accountable for safeguarding customers' card data, but analysts say few such protections exist elsewhere. Under the California law, banks and other companies must notify customers when a breach of their personal information is suspected.