funsec mailing list archives
Some Stores Quiet Over Card Breach
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 11 Aug 2008 22:41:19 -0400
Shocking! http://online.wsj.com/article/SB121842142123128889.html?mod=todays_us_market place Some Stores Quiet Over Card Breach Customers Not Told About Alleged Theft of Consumer Data By JOSEPH PEREIRA , JENNIFER LEVITZ and JEREMY SINGER-VINE August 11, 2008 Most states mandate that companies tell their customers when their credit-card data is stolen from the stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft. But when federal prosecutors disclosed last week that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it. That's because only four of the chains clearly alerted their customers to breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they never told customers because they never confirmed data were stolen from them. The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures. The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster's Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered. The disclosure issue emerged after the government charged 11 men in five countries, including the U.S., Ukraine and China, with orchestrating a high-tech operation to steal credit-card numbers from 2003 to 2008. After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen. Companies typically have made disclosures by letter, whenever possible, and through public announcements on the Web sites and in press releases to the media. Disclosure allows consumers to act quickly to limit losses -- by canceling their credit cards, changing their passwords or setting up credit-monitoring services. The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks. "If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data breach expert. "If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said. Dan Clements, chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat-rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches. "Telling the public that they've been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down." OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers who was compromised, and last week's indictments describe how the defendants allegedly broke into their networks. Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Some Stores Quiet Over Card Breach Richard M. Smith (Aug 11)