A Wells Fargo notice, as published by the New Hampshire Attorney General, points to “suspicious transactions” from unauthorized use of access codes. They claim they do not know how the codes were compromised:
We are writing to inform you that a third party data provider has notified us that a Wells Fargo access code was used to gain unauthorized access to your personal information. This data may have included your name, address, date of birth, Social Security number, driver’s license number, and credit account information. We do not know how this breach occurred, but we have notified the appropriate law enforcement authorities and a thorough investigation is underway.
This seems at face value to be similar to the Citibank-7/11 incident where large numbers of PIN codes were somehow stolen. PCI has primarily been focused on merchants, and is just now shifting to payment applications, but the attackers seem way ahead of the curve and going directly after the banks themselves.