The source, who requested anonymity, said that about 200,000 debit cards may have been compromised, though it's still not clear exactly how the card and PIN information was accessed and by whom.

Itasca, Ill.-based OfficeMax did not respond to repeated calls seeking comment.

Citibank, a unit of New York-based Citigroup Inc., is the latest in a fast-growing list of financial institutions that over the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where criminals used ATM cards to fraudulently withdraw cash and make purchases.

For example, the US$13 billion North Carolina State Employees Credit Union in Raleigh over the past two weeks has reissued more than 27,500 debit cards since it was informed by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.

Leigh Brady, senior vice president at the credit union, said many of the debit cards were used fraudulently in several countries, including Romania, Russia, Spain and the U.K.