Geeks.com Website Hacked, Customer Data Stolen

If you bought anything from Geeks.com in at least the last year or so, you might want to start paying close attention to your credit card statements—the company sent out an email on Friday telling former customers that they “recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised.” Full email after the jump.

Genica Corporation
dba Geeks.com
1890 Ord Way
Oceanside, CA 92056
January 4, 2008

[address redacted]

Dear [name redacted]

The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number. We are still investigating the details of this incident, but it appears that an unauthorized individual may have accessed this information by hacking our eCommerce website.

We take this breach of our data seriously, and we deeply regret that this incident has occurred. We immediately reported this crime to local law enforcement authorities, as well as the Secret Service and other federal authorities. We also reported the incident to Visa. We have engaged an outside, nationally recognized security firm to determine how this incident occurred and to confirm that information we obtain is protected to the fullest extent reasonably possible.

To protect against possible identity theft or other financial loss, we encourage you to review your Visa credit card account statements and to monitor your credit reports as provided below. To assist you, Genica has taken the following steps:

We have set up a toll-free, call-in number to assist you with questions or concerns you may have related to this incident. All questions should be directed to 1-888-529-6261 or 1-212-560-5108 for non-US recipients.
PLEASE NOTE: These numbers will be active beginning on Tuesday, January 9, 2008.

We have provided names and contact information for the three major U.S. credit bureaus below. At no charge, you can have the agency place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Agency Toll-Free Website
Experian 888-397-3742 http://www.experian.com
Equifax 800-525-6285 http://www.equifax.com
TransUnion 800-680-7289 http://www.transunion.com

You are also entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit http://www.annualcreditreport.com or call toll-free (877) 322-8228. For additional information on how to further protect yourself against identity theft, you may wish to visit the web site of the U.S. Federal Trade Commission at http://www.consumer.gov/idtheft, or, for California residents, the web site of the California Office of Privacy Protection at http://www.privacy.ca.gov.
Again, we deeply regret this incident and any inconvenience or concern it may cause you. We are working diligently to investigate and resolve the matter.
Sincerely,

Jerry L. Harken
Chief of Security
Genica Corporation
DBA: Geeks.com
assistance.RemoveThis@geeks.com

(Thanks to Bob!)

Comments

Edit Your Comment

  1. s25843 says:

    So much for that “Hacker Safe” banner on the website.

  2. tange1 says:

    Great, I think I bought stuff from them. After all this mess are you entitled to a free report like when your turned down for credit? I know what annual credit report is but what if I want a report in the next month or so and I’m not eligible for a annual report?

  3. Diana Scott says:

    Tuesday is January 8, isn’t it? Not the 9th like it says.

  4. Chairman-Meow says:

    Thank god they are “taking this very seriously” ! I was really concerned there for a moment.

  5. recently discovered on December 5, 2007

    Do they mean that they just discovered that the breach happened on December 5th or that they discovered the breach on December 5th and think that over a month ago counts as recent?

    Either it took them a month to realize something happened or they waited a month to say something about it.

  6. nffcnnr says:

    …but this doesn’t stop Consumerist from hawking Geeks.com via Dealhack on the very next blog post!! Whiskey tango foxtrot, Consumerist???

  7. gamabunta says:

    At the very least, they should offer credit monitoring for 6 months to any customer who wants it.

    And I can’t find anything to remove my information or cancel my account on their site. WTF?

  8. AT203 says:

    Dammit, merchants are not supposed to store the CVV2 numbers in the same place as the credit card number!!

  9. headon says:

    They knew but why make customers jittery pre-Christmas. Way to put your customers first. Hope that Holiday sales bump was worth it.

  10. gamabunta says:

    I just got off the phone with someone at the 1-888-529-6261 number and he said they don’t keep card info on file. He said they only keep names and addresses on file. He sounded like he didn’t know anything about the hack either.

    Seems like the info hasn’t gone down chain of command yet.

  11. kimsama says:

    @Diana Scott: Yeah, that stood out to me, too.

    Wow, really makes you feel good when you entrust your credit information to a group that isn’t even clear on what date Tuesday is.

  12. stevemis says:

    If they really were geeks, this wouldn’t have happened.

  13. jkhazael says:

    as of 9:23 est the site still says it is “Hacker safe” “tested daily”

  14. Lawk Salih says:

    “The purpose of this letter is to notify you that Genica dba Geeks.com (“Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised.”

    I like how they used the word “compromised” instead of stolen. ‘:’/

  15. Lawk Salih says:

    LOL, I couldn’t stop laughing when I saw the “Hacker Safe” button on the upper left hand side of the image.

  16. chucklebuck says:

    They keep repeating “Visa credit cards” – is that the only type of card this breach affects? That seems unlikely to me somehow.

    I bought something from them 2 years ago with a non-Visa card, but they sent the wrong item and returning it was such a pain in the arse that I never went back again. I didn’t get the e-mail, but I wonder how far back the stolen data goes.

  17. manok says:

    but but they are “taking it seriously!!!”

  18. emona says:

    I just bought something from them, but it was on December 26. Hopefully they got their asses in gear once they noticed the breach instead of lollygagging around like they did with the announcement.

    I paid with my Mastercard debit card, not a Visa. Guess I’ll go call the bank just in case.

  19. mac-phisto says:

    @AT203: it’s possible that they aren’t storing it. they refer to their web server being hacked…if someone found an exploit in the transaction process, they could glean the info during submittal.

  20. Mr_Human says:

    Hmmm, I made a purchase on Geeks within the last year, but I didn’t get this email. I used a MC, so I’m wondering if that exempts me. It does seem strange that only one type of card info would have been compromised.

  21. I’m pretty sure I’ve only used PayPal with Geeks.com, so I should be safe from this.

    I have not, however, received the e-mail.

    Could this be a hoax? Disgruntled customer doing some media hacking to make Geeks.com look bad?

  22. Justin42 says:

    Hrrm, I bought some stuff from Geeks back in September and the American Express card I used had about $1000 of fraudulent charges over the weekend of December 2-4, when I finally shut the card off. It was an Amex– they actually wouldn’t cancel the card after the first charge, which shocked me, but after seeing more charges I finally got them to cancel it.

    So this seems a very interesting/possible explanation as to what happened…

  23. Justin42 says:

    (I should add, I didn’t get the email either) I’ve used them on and off in the last 5 years and have never had a problem. Hrrrm.

  24. Justin42 says:

    I should also add, some of the charges seemed to center in the San Diego area, which is where they are… hrrrm.. inside job?

  25. emona says:

    I also did not get the e-mail.

  26. There’s nothing on the Geeks.com website. I’ve sent an e-mail asking them to confirm.

  27. Buran says:

    @manok: Yeah, why isn’t this in the “taking it seriously” category?

    That said, screw ‘em. They claim they’re hacker-safe, which is obviously a lie. Good thing I never used their service. Now I guess I never will.

  28. nakmario says:

    I didn’t get the email… does anyone know if Paypal information would be compromised???

  29. backbroken says:

    Is this the point in time where we can finally admit that there is no safe way to use a credit card?

  30. Bay State Darren says:

    If only there were some segment of the population, obsessed wih computers, who could use their expertise to combat hacking [or target it] at Geeks.com? They should have a word, some piece of popular slang, to identify such people, by which such individuals could become known to the management of the aformentioned Geeks.com.

  31. nightshadowon says:

    True or not, I went ahead and put a fraud alert on my credit at Experian.com. Using the fraud alert also came with a free report, and nothing suspicious so far.

  32. MumblesFumbles says:

    Hey i didn’t get an email either and I bought something within the past month from them. Geeks has always seemed a tad shady to me to be honest.

  33. m0unds says:

    @nffcnnr: I wonder if the DVD player comes with free identity theft.

  34. Cyfun says:

    Okay, who here did actually receive this email? Maybe this is just a hoax…

  35. Optimistic Prime says:

    @Eric J2: Electric Jewgaloo: A very good idea. I did the same thing and pointed them to this post. The glaring thing I notice is the second phone number is a totally different area code than that of the Geeks.com phone numbers. I don’t have long distance on my phone, otherwise I’d just call them…

    BTW, I’ve ordered from them, and haven’t gotten the e-mail yet. I do get their daily e-mail, so this should’ve come in as well…

  36. rlee says:

    @mac-phisto: Except they specifically and repeatedly referred to Visa card data, which struck me as strange. I could see, maybe, that they store transactions involving Visa cards separately from others, but if the hackers were intercepting there’d be no separation at that point.

  37. douglips says:

    Virtual account numbers rule. I bought something from geeks.com, but I don’t give a crap whether someone stole the credit card number, because it was a throwaway card number.

    I’ve got some pretty pictures of the old MBNA (now Bank of America) system here:
    [www.douglips.com]

  38. josh42042 says:

    That’s good that they came out and emailed people right away, but they really need to call their customers up and let them know. how many people use a throwaway email address when placing orders online? I use one account for purchases that gets spammed to sh*t, and one for my own personal use. I don’t check the spam account unless i’ve placed an order or something.

  39. iamme99 says:

    I have looked at their site but according to my Quicken records, have never brought anything from them. Whew.

    I’ve had to type in the CCV2 number in many credit card purchases. I guess the assumption is that if you didn’t have the physical card, then you wouldn’t know this number. But as mentioned above, it seems to be common sense that you shouldn’t store this number WITH the credit card number. Better yet, I’d rather that companies DON’T store my CC number at all. I’m fine with reentering it when I decide to purchase something again.

  40. Teradoc says:

    Well isn’t this just peachy…
    This past weekend I’ve been having fun talking with my Wells Fargo Credit Card people – because I’ve had 7 fraudulent charges put onto my WF Visa card – the same card I used back in the Spring on 2007 to buy a external HD case from geeks.com.
    Might be just a coincidence that my card # gets stolen and geeks.com was hacked in early December, but I am not happy because these two things feel like their going hand-in-hand….also I never received this supposed email.

    First and last time I buy from geeks.com

  41. mac-phisto says:

    @douglips: i used to use shopsafe all the time. didn’t realize it transferred to boa, but i just checked my account & hurrah!

    best idea ever.

  42. BugMeNot2 says:

    Sounds like someone should have spent some real money protecting their users and used a real security auditing service like those provided by Qualys.

    I have used their free Qualysquard scanner when others have failed. What a joke.

    http://www.qualys.com is where McAfee should look for some help.

    LOL

  43. CyGuy says:

    I made a purchase from them in June using a VISA and I have not received an email yet. I’ll check with VISA for unusual charges tomorrow, there was nothing on my last bill.

  44. ninjatales says:

    OMFG. I almost bought an HDTV back in November on their website. Lucky for me, Newegg had a slightly better deal which saved my ass.

  45. crankymediaguy says:

    “Could this be a hoax? Disgruntled customer doing some media hacking to make Geeks.com look bad?”

    Nope. I’m the person who forwarded the email to Consumerist.com. It’s legit.

    I wrote a note to Consumerist which I attached to the email from Geeks.com (which they didn’t include in this posting) explaining the circumstances. In it I said that we hadn’t bought anything from Geeks.com in at least a year. That turns out to be not correct. The last purchase we made from them was in February 2007.

    The purchase was made with a Visa debit card, which may account for their mentioning Visa. Why the hack might not affect other credit/debit cards, I have no idea.

    Anyway, if you’ve bought anything from Geeks.com, it’s probably a good idea to check with them to make sure everything is cool. As a result of this, we’ve had to get a new Visa card (Visa was very good about taking the charge off the old card).

  46. tange1 says:

    The phone number supplied above is pretty well usless. They read you a generic line about ‘an unathorized individual gained access to our commerce website’. If you actually have a worthwhile question they are directing you to their legal counsel. Call 312-873-7472.

  47. sektor22 says:

    @Justin42:
    Same thing happened to me, I thought my amex info had been “compromised” at another site, but I’m pretty sure now that it was from my purchases at geeks.

  48. garys says:

    I used a mastercard at geeks.com a few months ago, read this, and checked my mastercard statement. Sure enough, I had a fraudulent charge from 3 days ago to CCbill.com. I’m calling to cancel the card now.

    The question I have is why they never sent me a notice of this theft. Are they really that incompetent?

    Count me in on the class action lawsuit.

  49. geekfreako8 says:

    I contacted geek.com hotline #888-529-6261 and some female told me that only visa card holders are affected by this tragedy. I was very concern about this because i’ve been a customer since 2001 but I only used MC and AMEX cards, its sad people this doing this craziness I really think that these people need to get a min of 20yrs in jail to set an example!

  50. Usama says:

    I CALLED THEM, SPOKE TO A LIVE PERSON.

    I did NOT use Visa, it is only Visa cards that are affected (as the e-mail says), I used Paypal and so you’re safe w/ that.

  51. JimmyJammer says:

    I called Geeks.com customer service, listed in their Contact Us section, and actually got through pretty quick. The young lady asked me where I read the article, I told here consumerist.com. She then instructed me to call the phone number listed in this article.

    I asked her if she could just confirm that they had been hacked and she paused and said “I really can’t.” I heard an awlful lot of chatter in the background as well like they might be getting swamped with calls.

    I have already cancelled my CC, that I used there, and a new one is on the way. My CC company rep said she didn’t see any strange charges pending. So, I may be in the clear. At least they don’t have SS#s and Mother’s maiden name information.

  52. jeffe says:

    I purchased a CD player from Geeks.com in February using a VISA. I did not received the above email though the email address is active. I called the 888 number and spoke with a nice CS rep who confirmed the ‘compromise’ occurred. I asked about the ‘verification numbers’ and why they were being stored since the PCI standard (credit card company’s rules about processing) state the number is not to be retained and used only at the time of processing, but the CS rep did not know. He took my name and number and said someone would follow-up with me.

  53. markopolo says:

    Aha! Was trying to figure out how someone poached my Visa check card and charged up $2800 at a Bed Bath & Beyond in New Jersey. Happened right before the Holidays. Thanks Geeks.com for keeping me safe! FAIL! Now off to settle things with my bank…

  54. garys says:

    I used a Mastercard with them, and had fraudulent charges starting 1/6/08. So either a HUGE coincidence, or at least some mastercards are affected. I canceled my mastercard.

    They are not supposed to store the CVV2 (verification) number with the credit card numbers. They should really be sued for doing this. At minimum, they should lose their merchant account.

  55. Optimistic Prime says:

    I just called them as well, at the number listed on their site. The representative Jimmy told me that you would get an e-mail and a snail-mail if you were one of the people affected. This makes me feel good as I haven’t gotten either.

  56. Optimistic Prime says:

    While I’m thinking, and not that it matters, I used a Visa card for at least one of the three transactions. I’m confident in that because none of my banking institutions utilizes MC, just Visa…

  57. hangmhigh says:

    Purchased merchandise from Geeks in November of 2006, over $3000 of fraudulent charges appeared on my VISA in August of 2007. The order was placed at Dell in Australia and other merchants. The merchandise was shipped. VISA removed the fraudulent charges and issued a new card. The shipping merchants did not get paid for the fraudulent order. I did not receive a letter or email form Geeks. I will contact their GEEK’s legal department and see what they have to say about it.

  58. DiscoverCardUser says:

    Might be a coincidence, but I was just contacted by DiscoverCard today. They were asking about a lot of recent charges in the past few days.
    I didn’t make any of them, Dell, Watches online, shoes place online, and many others.

    I was going to contact Geeks this morning when I read this but since it was more than a year ago and wasn’t VISA, I didn’t worry. I haven’t used my DiscoverCard in any new places, so either someplace else was compromised (MacMall, gas station, Buy.com) or this Geek problem effects more than just Visa and for more than a year.

    I did call Geeks and they said they are just collecting information right now, and I will be contacted by someone.

  59. desirprovocateur says:

    There lies the problem of holding credi card information for future use. A lot of online companies don’t even give the option whether they can hold creditc card information or not. And even if they have that option, who knows if they follow it or not. When will they ever learn? Probably not until they get sued for a lot more.

  60. felixdacat says:

    I just called them, the lady said approx 650 individuals were affected. It could be higher or lower.

  61. crankymediaguy says:

    As noted before, I am the person who originally alerted Consumerist to this problem. So far, we haven’t gotten the snail mail from them about it, although (obviously) we did get the email.

    I’ll let you know if and when we get something in the mail from them.

  62. crankymediaguy says:

    Oh, by the way, shouldn’t they be offering something to make up for this? So far, bupkis.

  63. alfasub says:

    I guess I may be one of the 650 “victims”, bought from them using my VISA in May 2007. Are there any lawyers on this board? I think a lawsuit is in order here for Geek’s incompetence, negligence and the victims headache. Some things I noticed: a)I did not receive any emails or see anything related to the hack on their website. b)Geeks did not notify the incident before so it would not affect their Chrismas sales, despite discovering it December 5, 2007. c)according to Visa, Geeks violated their requirements to store the little code on the back of the credit card (called CVV2 by visa) for any length of time. If that part of the article is correct, the business is not PCI compliant and should loose its merchant account. d)The remediation according to the original post puts the weight on consumers as if it where their fault loosing this vital information. Would appreciate some feedback from someone familiar with legislation.

  64. lsocoee says:

    I definitely was one of the victims. I had charges start showing up a day before this notice came out. $430 at the ATT store and an authorization at iTunes. Looks like they were getting the iphone. I called and told my card company and they removed the charges and canceled my card. Geeks did not notify me directly in any way. I asked them what they were going to do to compensate and I haven’t heard back anything.

  65. est92305 says:

    My visa number was stolen recently. I also had Bed Bath and Beyond charges (also in NJ) on my card along with a $280 purchase from Tiger Direct. Our bank was great and canceled the card and refunded the charges as soon as we notified them. I will never do business with Geeks again. Seems like something should be done since they stored information that they shouldn’t have. I did not receive an e-mail from Geeks though. Did all the victims receive an e-mail from them?

  66. nhelgren says:

    I made a few purchases with a Visa this year and recieved no email about this. I haven’t noticed any activity but I put the fraud alert on my account and changed my card to be safe.

    A friend who used the site had a $500 charge in Thailand as well as a bunch of small charges for online trading sites (the type the do to validate your card before opening an account). He also didn’t recieve any email.

    Neither of us stored out information on the site for later use. The email indication that it was their eCommerce site leads me to believe it wasn’t the stored data but transactional data.

    My friend is in the process of contacting them about why he didn’t recieve the email either and that he saw charges.

  67. admiralguy says:

    I’ve been a long time reader of Consumerist, but just registered today so that I could post on this topic. I woke up this morning and logged on my bank’s website to find fraudulent charges on my Visa card. I called the company phone numbers listed with the charges and found that someone in Australia had made several purchases with my credit card info. Geeks was my first AND only suspect, because I use other credit cards for everything else, and this one for bill paying (and Geeks).

    Geeks.com was my very first online purchase back sometime around 1998 and I’ve spent 10s of 1000s of $ with them since. I would be satisfied if compensation was nothing more than free credit monitoring. I just went through all this last month with my wife’s credit card and a different online retailer, and that was their solution.

  68. gamabunta says:

    I just got an email and a call from my credit card company. Apparently, the bastards tried charging a ticket on Air Arabia. The card company didn’t let it go through but it still pisses me off that geeks.com wasn’t proactive in calling all it’s customers and hid it until after christmas. Last time I ever buy from these assholes.

  69. foogoo says:

    I’m very upset too. I never recieved a notice from Geeks & had a charge for golf epquipment & WOW accounts in Nov & Dec which falls into their time frame of the breach. When I called they said they couldn’t notify those affected because it would impede the law enforcement investagation.. whatever.
    And they are not offering to compensate us?? We have to call the CC company (during the holidays) and get new cards and audit or credit histories and do all the leg work for their mistake. I can say I’m really going to look closely and my shopping online given their customer disservice.
    I was already dissatisfied with their shipping costs, this is the final straw.

  70. ceokhan says:

    This is unbelievable. I buy stuff from there all the time! I will be pissed off if i see some weird transactions on my card. Lawsuit!!!
    ___________________________________________________________
    KicksOnFire.com – News & Updates on Air Jordan & Jordans

  71. VanPanda says:

    either mcafee makes money in a way that I could (saying a site is 99% safe,
    and blaming hacks on that 1%)
    or the hack was done to geeks.com servers or a dumbass inside the company
    did it.

  72. NeoArod says:

    Yeah I was a victim of this also, i made my purchase on January 1st and on the very 1st 10 charges where made to my card, thank god bank security called me last night to informe of this, bc i am currently in Dominican Republic, so yeah they just noticed they were hacked, kinda suck but oh well, hope every1 is able to sort out their issues, good luck.