Lessons learned: The Montgomery Ward breach

In December 2007, retailer Montgomery Ward found out its system had been hacked and between 51,000 and 200,000 records were compromised.

The Cedar Rapids, Iowa-based company was notified of the problem by Citibank, whose monitoring system identified unusual activity for customers buying items at the Montgomery Ward website. Montgomery Warn then notified other financial services companies, however, it didn't tell their customers until June of the following year.

CardCops, a Trumbull, Conn.-based company that monitors hacker sites to try and identify instances of identity theft, also noticed some unusual activity and alerted the media.

"There were a number of credit cards with the same company IDs, and after checking with customers, we determined they belonged to Montgomery Ward," explained CardCops' President Dan Clements.

In the aftermath, the company claimed that it complied with state disclosure regulations and planned to contact consumers.

Locating the problem
Despite a growing number of states passing laws to enforce breach disclosures, there is a disconnect between perceptions about recent efforts to protect consumers and the impact of such breaches. There are a myriad of reasons why, including the bottom line costs from such problems and the challenges in using the courts to recover damages. While companies are now a bit more forthcoming about such problems, the level of disclosure falls short of what consumer advocates desire.

"Large financial institutions understand the danger in exposing customer information and many have taken steps to protect it," said Avivah Litan, vice president and distinguished analyst at Stamford, Conn.-based Gartner, Inc.

Consequently, the security holes are usually at the other end of the transaction, the retailers selling the goods. While news reports focus on massive breaches, such as TJX Cos. Inc. case a few years ago, it is more likely that hackers will break into small or m

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Citibank ATM breach How to lay the foundation for role entitlement management Data breaches and prevention strategies Programmer accused of stealing proprietary code from financial firm Podcast: Fraud investigations Financial security pros expect improved funding in second half of 2009 Download presentations from Financial Information Security Decisions 2009 Banks using Twitter need to proceed with caution, experts say ATM malware used in Russia lets attackers control machines Aetna notifies 65,000 of job website breach Heartland breach cost $12.6 million, CEO says Data governance and classification Former Federal Reserve Bank employee arrested

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

edium retailer's systems.

Once a breach occurs, the retail company does not have any reason to make the breach known and plenty of reasons not to publicize it. As a result in most cases, the retailer will only notify its financial services company.

These firms too have no reason to bring more attention to the event. "The credit card companies are not responsible for any of the fraudulent charges in 'card not present' transactions, such as ecommerce," noted Gartner's Litan.

In the Montgomery Ward case, Discover Financial Services issued new cards to its Montgomery Ward customers, but didn't tell them about the breach. Other financial services firms only monitored their Montgomery Ward customer accounts.

Many credit card companies have invested in sophisticated software designed to monitor unusual activity with customer accounts and close down compromised accounts before thieves run up reach astronomical charges. In sum, their focus has been on minimizing the damage from a breach rather than maximizing publicity about it.

The TJX effect
Recently, the government has stepped in and tried to break the code of silence. While there are now disclosure laws in 44 states, the laws are open to interpretation about what disclose means and requires.

States have passed disclosure laws, but to date, their attorneys general have been reluctant to press charges against offenders. Outraged consumers have a couple of options. They can either move on, which most seem to have done, or take the offending companies to court.

"It would not surprise me if we see a number of consumers joining together and filing class action suits against companies that have not adequately protected their personal data," said CardCops' Clements.

That scenario has already unfolded with TJX, which had 45.7 million credit cards compromised in 2006-2007. In January 2008, the company reached a settlement that provides customers with vouchers, cash benefits (checks-in-lieu), credit monitoring, identity theft insurance, and reimbursements to those affected by the computer system intrusions. However the TJX case focused on making amends to customers whose information was compromised, not on the company's efforts to keep the breach quiet.

About the author:
Paul Korzeniowski is a freelance writer who focused on security issues. He is based in Sudbury, Mass. and can be reached at paulkorzen@aol.com.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.