Some Stores Quiet Over Card Breach

["Richard M. Smith" <rms () computerbytesman com>]

Shocking!

http://online.wsj.com/article/SB121842142123128889.html?mod=todays_us_market
place

Some Stores Quiet Over Card Breach
Customers Not Told About Alleged Theft of Consumer Data

By JOSEPH PEREIRA , JENNIFER LEVITZ and JEREMY SINGER-VINE
August 11, 2008

Most states mandate that companies tell their customers when their
credit-card data is stolen from the stores. The laws are designed to give
consumers a chance to protect themselves against fraud or identity theft.

But when federal prosecutors disclosed last week that computer hackers
swiped more than 40 million credit-card numbers from nine retailers in the
biggest such heist ever, it was the first time that many shoppers had heard
about it.

That's because only four of the chains clearly alerted their customers to
breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they
never told customers because they never confirmed data were stolen from
them.

The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports
Authority Inc. -- wouldn't say whether they made consumer disclosures.
Computer searches of their Securities and Exchange Commission filings, Web
sites, press releases and news archives turned up no evidence of such
disclosures.

The other companies allegedly targeted by the ring charged last week were:
TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant
chain Dave and Buster's Inc. They each disclosed to customers they were
breached shortly after the intrusions were discovered.

The disclosure issue emerged after the government charged 11 men in five
countries, including the U.S., Ukraine and China, with orchestrating a
high-tech operation to steal credit-card numbers from 2003 to 2008.

After an increasing number of such thefts in recent years, more than 40
states have adopted laws requiring companies to give consumers an early
warning when their personal information is stolen. Companies typically have
made disclosures by letter, whenever possible, and through public
announcements on the Web sites and in press releases to the media.
Disclosure allows consumers to act quickly to limit losses -- by canceling
their credit cards, changing their passwords or setting up credit-monitoring
services. The Federal Trade Commission estimates nearly $50 billion is lost
annually as a result of identity theft and credit-card fraud, with part of
it absorbed by banks.

"If I were the companies, I would be issuing public disclosures five
nanoseconds after the indictments were announced," says Evan Stewart, an
adjunct professor at Fordham University School of Law and an electronic-data
breach expert. "If not, there could be big checks the companies will have to
be writing" to cover consumer litigation, he said.

Dan Clements, chief executive of Affinion Security Center's CardCops unit,
which monitors Internet chat-rooms for illegal trafficking of credit and
debit cards, says many companies are reluctant to disclose breaches.
"Telling the public that they've been breached is embarrassing for them, it
makes them suffer a loss of goodwill and in the case of public companies,
the stock price goes down."

OfficeMax has denied having any knowledge of a breach. New Jersey
authorities who investigated the company in 2005 believed it was one of a
number of retailers who was compromised, and last week's indictments
describe how the defendants allegedly broke into their networks. Boston
Market and Forever 21 say their own investigations couldn't corroborate the
government's findings. Federal officials say they stand by the information
in the indictments.

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.