ast month, the FBI expanded its investigation into a security breach involving the debit cards of 200,000 consumers in the Western United States because the incident might be linked to similar cases throughout the country.

Control of the investigation has been transferred from the FBI's Sacramento office to its field office in Charlotte, N.C. The case is also being investigated by the Secret Service.

"I'm hemmed in now and can't say much because it's still an ongoing act of investigation," said Ken Lucas, the FBI's spokesman in Charlotte. "I wish I had a crystal ball sitting here on my desk to tell me when the investigation will be done. Right now we're looking at all the information to see if the allegations are credible enough to suspect a potential federal violation."

An international crime ring is suspected of pilfering account information, creating counterfeit debit cards and selling them on the black market. Fraudulent charges related to the most recent breach have been reported in China, Russia, Spain, France, Britain and elsewhere.

Bank of America, Wells Fargo and Washington Mutual are among the banks that recently mailed replacement debit cards to consumers whose accounts may have been endangered. The banks reported that, in most cases, consumers won't be held liable for bogus charges associated with their debit cards if they report suspicious transactions within 60 days.

Banking-industry insiders said the recent West Coast episode was a result of a computer hacker stealing data from a Sacramento-area outlet of a national office-supply chain in December 2005. Various media have mentioned Office Max in connection to this incident, but Office Max spokesman William Bonner said that the company has no knowledge of any security breach.

In another California incident that came to light in November 2005, Golden 1 Credit Union cancelled 1,500 debit cards after it was alerted to possible fraud in the Sacramento area. Some of the accounts in question experienced unauthorized withdrawals at ATMs in Great Britain, Russia and South Korea and were subsequently closed.

The other at-risk accounts experienced no suspicious activity, but the credit union replaced their debit cards as a precaution. At that time, authorities suspected an employee of a local merchant caused the breach by stealing customers' account numbers and PINs.

In a possibly related incident, Wal-Mart Stores Inc. reported in December 2005 that credit cards used by some of its customers to purchase gas at the company's Sam's Club stations were compromised in September and October 2005. Wal-Mart has 500 Sam's Club outlets and did not indicate whether the affected cards were restricted to a particular region.

Whether retail merchants hold liability in this unfolding case is not yet determined. "On the retailer issue, it's not crystal clear in the law what their obligation is to notify consumers," said Tom Dresslar, spokesman for Attorney General of California Bill Lockyer. "They clearly have an obligation to notify the owner of the information, which is typically a bank or credit card company. The extent to which they are obligated to notify consumers directly depends, really, on circumstances. We would argue that if they're maintaining that information in a database, then they would probably have to notify consumers."