NEW YORK (June 27) - An old name in retail was hit by a modern scourge - a hack of its customers' credit card numbers - but didn't inform the consumers, revealing how data breaches might be heavily undercounted even with new notification laws.
At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.
Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard. Then, Milgrom said, Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach. That included a report to the U.S. Secret Service. He said he believed by the end of December that Direct Marketing Services had met its obligations.
However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.
Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.
As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years.
After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.
This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions. In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant. CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.
Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers. The data had been organized in the same way, indicating the numbers likely came from the same database. CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.
When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
The credit card industry's response to the breach varied.
A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records. Ua said they weren't told which merchant had been breached.
Visa declined to comment. MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
Linda Jeffers of Latrobe, Pa., decided not to take any chances in waiting. Jeffers, a MasterCard cardholder whose data were found online, canceled her card this month after being contacted by CardCops.
She told the AP she had used the card for Internet shopping only once, from her son's computer - she bought a desk from Montgomery Ward - and was surprised to hear her account had been compromised.
Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.
Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order. Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.
"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."
In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.
"Probably every one of our cards is up there somewhere now," she said.