BankInfoSecurity.com - Information Security News, Regulations, & Education

Bank Information Security Articles

Retailer's Database Breached, Customers Not Notified

Credit
Eligible
As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
July 7, 2008 - Linda McGlasson, Managing Editor

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.
Share

Comment on this article

The parent company of the Montgomery Ward website had at least 51,000 records stolen out of a database last December, but failed to notify its customers.

The breach, first detected by Citigroup, a financial services company, showed hackers found a way into HomeVisions.com, a separate website of Direct Marketing Services, Inc., and then stole records from a database holding account information for all the company's retail holdings.

Direct Marketing Services, Inc., which has owned the Montgomery Ward brand since 2004, says it promptly told its payment processor and Visa and MasterCard, and it also notified the U.S. Secret Service. The company, however, did not inform the customers whose credit card information was stolen in the hack.

In June, the breach was made public after the company CardCops, an investigative firm that tracks credit card thefts for the financial services industry, found more than 200,000 payment cards being offered for sale on an Internet chat room often visited by card thieves.

Direct Marketing Services says it now plans to contact consumers -- more than six months after the breach occurred. Visa's guidelines don't cover the notification of consumers, which is required by 44 states' individual data breach notification laws. Non-compliance with these laws, depending upon the individual state, range from fines levied against the company or even allowing customer lawsuits to be filed against the breached company.

While Visa guidelines don't tell retailers to notify the public, David Taylor, President of the PCI Security Alliance, says the "common sense" of doing business should have kicked in for the senior management at Direct Marketing Services. "A lot of retailers don't know the state laws about data breach notification, but unless a retailer is a mom and pop retailer and doing business online, they're likely doing business with customers in more than one state," Taylor says.

Click to Get Updates on the Latest Information Security News

Taylor adds that some states' data breach notification laws require a company to have an incident response plan -- something the majority of retailers don't have. "If this company had an incident response plan, it would have addressed the need to notify its affected customers," he adds.

Retailers, unlike financial institutions, aren't heavily regulated by federal or state agencies in the area of risk management, he notes. "There's nobody in their face on this question of data breach notification," Taylor says. " It only gains attention if a breach happens. There is no one from the State Attorney General's office asking where their risk management plan or incident response plan is before a breach happens."






Question
Question
?What do you say to an organization that opts not to inform its customers after a data breach?
Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.
Please login if you would like to post a comment on this question.

"This is another sign that our Government agencies need to work "together" just a little better to cover their basics, get rid of the us and them, and work on the "we." As for Montgomery Ward, I truly hope it goes to court.

Sometimes, ethics have to be forced...unfortunately.
"Why are non-bank institutions being given an "out clause" regarding responsibility to their customers? The non-bank entities don't care if they are "helping to defraud" a customer. As far as they are concerned, banks are rich, let them take care of the loss! And evidently our own government regulations agree with them. How much of this fraudulent activity has to take place before consumers and bank regulators say "it's enough?"
"While it is a good practice...as you have pointed out in other articles...all the various states' laws on this subject have made little or no difference.
"If the merchant takes a counterfeit bill or fraudulent check, they suffer the loss. Look how careful they are when taking these forms of payment. Rarely do they check the id or signature line on the back of a credit card. Why should they? Banks cover any fraudulent transactions. If the retailer or merchant was directly liable for the credit card loss -- and not the financial institution -- their controls and procedures would be much better.

Its the same for this situation. Trying to coverup a breach under the guise of "we didn't know we had to notify the customer" is gross incompetance. They should be fined heavily.
"I will never shop at Montgomery Ward again. They have a responsibility to the customer. They dropped the ball by not protecting its customers information, and then they didn't notify customers once they found out about the breach. Bad, bad, bad.
"If a company, especially a major one, has its data files breached, they most definitely should notify those that might be involved. The notice can be as simple as a general announcement on the news or a simple flyer sent out stating that their info has been compromised. If not, they should at least be partially financially responsible for losses incurred. In this day & age of computers & all the finance that takes place via the internet and other data being sent via "the wires," everyone, not just banks, has to take the necessary steps to prevent fraud and ID theft, or else be held responsible for the losses that can incur.
"Shame on them!!!!!
"I d say they should be fined, and responsible for Identity theft issues presently and going foreward...talk about a horrid sense of responsibility.....that should be criminal.
"Not only should they be liable for any losses incurred by individuals, they should remain liable for future identity theft incidents that can be traced to their breach of our personal information. They should also be fined and forced to get compliant with the PCI standards within a very short period of time. They had the chance to do it themselves and they didn't, putting our information at risk because of their lack of information security. They should be subject to a strict PCI audit after their short compliance timetable. It's going to get a lot worse before it gets better. Think about all of the retailers that have your data. There's no way to be sure they have taken the necessary steps to put the proper security measures in place. If they had a stamp of approval by the PCI group proving they have been audited and continue to be monitored, that would go a long way in assuring the physical and virtual customers that the retailer is at strong level of information security.
"They should be liable for any loss incurred.

Topics of Interest

NCUA Part 748

Wire

Mobile Banking

ISO

GRC

ID Access & Management

Latest Tweets & Mentions

BankInfoSecurity.com Research

Recent Blog Entries

More Blogs Posts

Vendor Solutions

  • Third Brigade, Inc. Third Brigade, Inc.

    Solutions For:

    Compliance, Incident Response, Intrusion Detection

  • Lumension Lumension

    Solutions For:

    Malicious Code Protection, Patch / Configuration Management, Vulnerability Assessment

More Vendor Solutions

Marketplace

Advanced Search
Browse Topics
close

Agencies

Anti-Money Laundering


Banking Today

Business Continuity & Disaster Recovery

Compliance

Emerging Technology

Fraud

Governance & Standards

Identity Theft

Leadership & Management


Physical Security

Risk Management

Training & Education