Retailer Wards Failed To Notify Customers Of Data Breach
Trusted old-name retailer Wards did not inform its customers of a data breach that allowed hackers to gain access to at least 51,000 records, including credit card numbers. The breach occurred at the store’s parent company, Montgomery Ward, where hackers looted the database that held account information for all of the firm’s retail properties.
The respected Wards retail chain got its start in 1872, but eventually went out of business in 2001. Three years later Direct Marketing Services Inc., a catalog company, acquired the brand out of bankruptcy and now runs the Wards.com Web site along with others, including SearsRoomforKids.com, SearsShowplace.com and SearsHomeCenter.com.Â
David Milgrom, CEO of Direct Marketing Services, said the breach was discovered last December by Citigroup, who reported that the hackers had gained access to the database via HomeVisions.com, another Direct Marketing Services Web site.
Upon learning of the invasion, Direct Marketing Services immediately informed its payment processor and MasterCard and Visa. The firm then followed Visa’s guidelines for managing a security breach, Milgrom said, which included reporting the incident to the U.S. Secret Service. The company believed they had met their obligations by the end of December.
But Visa’s guidelines are mainly technical in nature, and do not cover the critical step of complying with notification laws in nearly every state that typically require companies that have been hacked to notify affected consumers, not merely the financial firms involved. Depending on the state, companies that fail to comply can be fined or even sued by affected customers.
State notification laws have resulted in the disclosure of scores of breaches involving hundreds of millions of consumer accounts at banks, corporations, retailers and universities in recent years. Direct Marketing Services now plans to contact consumers, Milgrom said, in response to an Associated Press inquiry about the laws.
The breach may never have become public were it not for an online chat session detected in June by Affinion Group Inc.’s CardCops, a team of investigators who track payment-card theft on behalf of financial companies.Â
Â
In an Internet chat room frequently used by hackers, CardCops investigators noticed bragging about the sale of 200,000 payment cards from a single merchant. The investigators then intercepted several hundred of the records, along with screen names belonging to hackers whose real identity still remain unknown.
Along with the credit card numbers, including the three-digit "security codes" and expiration dates, the hackers were in possession of the cardholders’ names, addresses and phone numbers. Since the data was organized in a similar way, investigators believe the numbers likely came from the same database.
Dan Clements, CardCops’ president, noticed that the vast majority of the cardholders were women, a sign the records came from a single merchant catering to that particular demographic. When Clements began calling the people whose data was being sold, the first eight said they had purchased things either online or through mail order from Montgomery Ward. It was then that Clements realized, "there’s a high probability the entire database of Montgomery Ward was breached."
However, he is not yet sure whether the hackers were inflating their claim when they offered 200,000 records, or whether Milgrom’s number of 51,000 is correct.
Credit card firms have varied responses to breaches such as this one. Discover Financial Services LLC spokeswoman Mai Lee Ua said her company had addressed the problem by sending new cards to those who appeared in the compromised records. The consumers were not made aware of which merchant had been breached, she said.
In a statement issued Friday, MasterCard acknowledged its awareness of the breach, and said it had notified the banks that issue MasterCards, advising them to monitor the affected accounts for suspicious activity.
Visa declined to comment.
Linda Jeffers of Latrobe, Pa., a MasterCard cardholder whose data was found online, decided not to take any chances and canceled her card this month after being contacted by CardCops. She had used the card for Internet shopping only once, she told the AP, to purchase a desk from Montgomery Ward. She was stunned to learn her account had been compromised.
Before state notification laws were put in place, silence was the industry norm amid a data breach such as the one experienced by Wards. But according to the National Conference of State Legislature, 44 states now have laws on the books requiring companies that hold consumer data to notify customers when their information has been compromised.Â
However, Clements and other security experts say that many breaches are still kept silent, despite state notification laws. They cite the amount of data being sold in online black markets as evidence that the public is not always made aware of such breaches. Some analysts, such as Avivah Litan at Gartner, believe unreported data breaches may even outnumber the ones that do get publicized.
Litan told the AP it is particularly the case with online merchants. She believes a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions on the Internet or via mail order, is the reason for the underreporting. Until fraudulent charges actually appear on the card, the credit card companies would rather evade the cost of voiding compromised cards and issuing new ones, she said.
"What it reveals is the convoluted banking system," Litan said.
"If this had taken place at a grocery store, we all would have heard about it."
Litan said the silence that still follows breaches of data means that even people who have never been notified that their records have been compromised should nevertheless assume their information is floating online.
"Probably every one of our cards is up there somewhere now," she said.
—
On the Net: