In December 2007, retailer Montgomery Ward found out its system had been hacked and between 51,000 and 200,000...
records were compromised.
The Cedar Rapids, Iowa-based company was notified of the problem by Citibank, whose monitoring system identified unusual activity for customers buying items at the Montgomery Ward website. Montgomery Warn then notified other financial services companies, however, it didn't tell their customers until June of the following year.
CardCops, a Trumbull, Conn.-based company that monitors hacker sites to try and identify instances of identity theft, also noticed some unusual activity and alerted the media.
"There were a number of credit cards with the same company IDs, and after checking with customers, we determined they belonged to Montgomery Ward," explained CardCops' President Dan Clements.
In the aftermath, the company claimed that it complied with state disclosure regulations and planned to contact consumers.
Locating the problem
Despite a growing number of states passing laws to enforce breach disclosures, there is a disconnect between perceptions about recent efforts to protect consumers and the impact of such breaches. There are a myriad of reasons why, including the bottom line costs from such problems and the challenges in using the courts to recover damages. While companies are now a bit more forthcoming about such problems, the level of disclosure falls short of what consumer advocates desire.
"Large financial institutions understand the danger in exposing customer information and many have taken steps to protect it," said Avivah Litan, vice president and distinguished analyst at Stamford, Conn.-based Gartner, Inc.
Consequently, the security holes are usually at the other end of the transaction, the retailers selling the goods. While news reports focus on massive breaches, such as TJX Cos. Inc. case a few years ago, it is more likely that hackers will break into small or medium retailer's systems.
Once a breach occurs, the retail company does not have any reason to make the breach known and plenty of reasons not to publicize it. As a result in most cases, the retailer will only notify its financial services company.
These firms too have no reason to bring more attention to the event. "The credit card companies are not responsible for any of the fraudulent charges in 'card not present' transactions, such as ecommerce," noted Gartner's Litan.
In the Montgomery Ward case, Discover Financial Services issued new cards to its Montgomery Ward customers, but didn't tell them about the breach. Other financial services firms only monitored their Montgomery Ward customer accounts.
Many credit card companies have invested in sophisticated software designed to monitor unusual activity with customer accounts and close down compromised accounts before thieves run up reach astronomical charges. In sum, their focus has been on minimizing the damage from a breach rather than maximizing publicity about it.
The TJX effect
Recently, the government has stepped in and tried to break the code of silence. While there are now disclosure laws in 44 states, the laws are open to interpretation about what disclose means and requires.
States have passed disclosure laws, but to date, their attorneys general have been reluctant to press charges against offenders. Outraged consumers have a couple of options. They can either move on, which most seem to have done, or take the offending companies to court.
"It would not surprise me if we see a number of consumers joining together and filing class action suits against companies that have not adequately protected their personal data," said CardCops' Clements.
That scenario has already unfolded with TJX, which had 45.7 million credit cards compromised in 2006-2007. In January 2008, the company reached a settlement that provides customers with vouchers, cash benefits (checks-in-lieu), credit monitoring, identity theft insurance, and reimbursements to those affected by the computer system intrusions. However the TJX case focused on making amends to customers whose information was compromised, not on the company's efforts to keep the breach quiet.
About the author:
Paul Korzeniowski is a freelance writer who focused on security issues. He is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.