Breach, Threat Management, Data Security, Incident Response, TDR

Report: Montgomery Ward fails to alert victims of breach

Mongomery Ward, an old-line merchant now operating as an internet retailer, suffered a breach of some 51,000 customer credit card numbers, and failed to report it to customers, according to reports.

The furniture retailer, which was once a fixture in towns across America, went belly-up in 2001, but came back, lives on as an internet storefront under the name, owned by Direct Marketing Services.

Hackers in December extracted the stolen information from an online database that held credit card account information, according to an Associated Press report. Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers.

Now, it plans to.

The effect on the company is still unclear. Companies that do not notify their affected customers can be sued, though the exact legal measures vary state by state. Some 44 states have passed laws that call for organizations holding consumer data to notify affected consumers if their information has been compromised.

“It would seem that notifying the customer would be the prudent thing to do,” Dan Clements, president of CardCops, a security research firm involved in uncovering the breach told on Friday. “Before these disclosure laws came out, nobody notified any consumers; the consumer was the last to know.”

This is just the latest in a continuing string of data breaches involving lost consumer information. Why is this criminal activity cropping up more often? The reason seems to be market efficiency.

“In the early days of the internet there were few places where stolen consumer information could be bought and sold,” Clements said. “Now what we call ‘The Force,' or a professional criminal element, has pulled that data out of corporate America.”

In other words the criminal marketplace has matured. And existing remedies are sometimes tedious.

Said Avivah Litan, Gartner vice president and distinguished analyst: “People do suffer in these when their information is stolen and used on the internet, because they still have to file a claim.”

Moreover, the claim process can take a lot of time and effort, and is not always successful.

“Typically they get their money back, but sometimes they don't,” she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.