Retailer's Database Breached, Customers Not Notified

Retailer's Database Breached, Customers Not Notified
The parent company of the Montgomery Ward website had at least 51,000 records stolen out of a database last December, but failed to notify its customers.

The breach, first detected by Citigroup, a financial services company, showed hackers found a way into, a separate website of Direct Marketing Services, Inc., and then stole records from a database holding account information for all the company's retail holdings.

Direct Marketing Services, Inc., which has owned the Montgomery Ward brand since 2004, says it promptly told its payment processor and Visa and MasterCard, and it also notified the U.S. Secret Service. The company, however, did not inform the customers whose credit card information was stolen in the hack.

In June, the breach was made public after the company CardCops, an investigative firm that tracks credit card thefts for the financial services industry, found more than 200,000 payment cards being offered for sale on an Internet chat room often visited by card thieves.

Direct Marketing Services says it now plans to contact consumers -- more than six months after the breach occurred. Visa's guidelines don't cover the notification of consumers, which is required by 44 states' individual data breach notification laws. Non-compliance with these laws, depending upon the individual state, range from fines levied against the company or even allowing customer lawsuits to be filed against the breached company.

While Visa guidelines don't tell retailers to notify the public, David Taylor, President of the PCI Security Alliance, says the "common sense" of doing business should have kicked in for the senior management at Direct Marketing Services. "A lot of retailers don't know the state laws about data breach notification, but unless a retailer is a mom and pop retailer and doing business online, they're likely doing business with customers in more than one state," Taylor says.

Taylor adds that some states' data breach notification laws require a company to have an incident response plan -- something the majority of retailers don't have. "If this company had an incident response plan, it would have addressed the need to notify its affected customers," he adds.

Retailers, unlike financial institutions, aren't heavily regulated by federal or state agencies in the area of risk management, he notes. "There's nobody in their face on this question of data breach notification," Taylor says. " It only gains attention if a breach happens. There is no one from the State Attorney General's office asking where their risk management plan or incident response plan is before a breach happens."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.