Montgomery Ward's Hacked 6 Months Ago, But Victims Weren't Told

Somewhere between 51,000 and 200,000 records were stolen from Montgomery Ward’s servers last December—the company says it’s the smaller number, but CardCops, the group that spotted the hack in the first place, “spotted hackers touting the sale of 200,000 payment cards belonging to one merchant” in June, which is how the story became public. Montgomery Wards knew about the breach when it happened, and although they reported the crime to federal investigators, they didn’t tell any of the victims. The CEO of Direct Marketing Services, which owns the Montgomery Ward name, told the Associated Press that after he alerted investigators he felt his company “had met its obligations.”

In case you needed more evidence that Direct Marketing Services isn’t exactly a top-of-the-line company when it comes to data security, management, or customer relations, the breach wasn’t even discovered internally:

Direct Marketing Services’ CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.

After the story broke last week, the company announced plans to contact the victims of the breach.

Direct Marketing Services says it now plans to contact the victims of the breach, but of course that’s only to avoid further bad press now that the story has broken. Fortunately, they contacted credit card companies when they were first notified of the breach, so the industry has been monitoring suspect accounts and/or issuing new cards as needed. If you shopped at the Montgomery Wards website and found your Discover, for example, you may have been a victim. Congrats.

So why wasn’t it reported? Because it’s financially more rewarding to flout the regulations that require it if you’re dealing with online transactions:

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in “card not present” transactions over the Web and mail order. Until fraud actually appears on the card, they’d rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

“What it reveals is the convoluted banking system,” she said. “If this had taken place at a grocery store, we all would have heard about it.”

You know what would make for some good PR? If an online company stepped forth and made a commitment to reveal data breaches in a timely manner, and hired an outside auditing firm to enforce said pledge. Instead, we’ll start the countdown to a class action lawsuit against Direct Marketing Services.

“Wards didn’t tell consumers about credit card hack” [Associated Press]

Comments

Edit Your Comment

  1. blue_duck says:

    Nice.

  2. cotr says:

    Montgomery ward? I thought they went bankrupt years ago

  3. NotATool says:

    Obligatory “who the hell shops at Monkey Wards?”

  4. ajmccoll says:

    @camelontherun: I thought the same. After the Montgomery Wards in the local mall went away I thought the whole company did as well.

  5. SybilDisobedience says:

    @ajmccoll: Yes, I thought they went the way of Service Merchandise. Maybe they just have an online presence these days?

  6. rmz says:

    Echoing the sentiment that “Montgomery Ward is still around?”

  7. Wow, I haven’t seen one of those places in 15 years…I thought they went out of business with Woolworth’s!

  8. ajmccoll says:

    @SybilDisobedience: Looks like you’re right, according to Wikipedia:

    “In June, 2004, an online retailer was created which sells the same products as the former brand. The company does not currently operate any retail stores.”

  9. Ein2015 says:

    @Ash78: Same here… I haven’t seen one in ages.

  10. friendlynerd says:

    Yeah it’s online/catalog only these days, and only a fraction of what they used to sell. If you look it’s more like an HSN/QVC type outfit in terms of quality and overpricing.

    I worked at MW in the housewares dept in high school about a year before they went under. It was a long time coming.

  11. semanticantics says:

    Not only is MW still around, but they have a website?

  12. valthun says:

    Wait, they are still in business, I thought they shut down permanently around 2000 or something like that.

  13. moore850 says:

    Isn’t that the gist of what happened with the infamous Brink’s truck robberies in the early 50’s, where the company didn’t want the story of how much was getting stolen to get out, and then finally it got out when someone knocked over their main safe? (see the related “Brink’s Job” movie, it’s great.)

  14. moore850 says:

    isn’t that basically what happened with the Brinks Truck robberies of the early 50’s, where Brinks didn’t report any of the thefts that were rampant to preserve their image, until finally the main safe got hit up for millions? (see the Brinks Job movie, it’s great)

  15. theyre still around? my dad worked there in the 70’s

  16. kaptainkk says:

    I used to love MW when they were around here.

  17. zentex says:

    @NotATool: Monkey Wards indeed

  18. UnicornMaster says:

    I remember when it was Jefferson Ward. And poorly lit aisles and aisles of useless 80’s gadgets.

  19. It’s pretty sickening, this trend of tight lippedness when security breaches are discovered. The laws that make this illegal really need to be enforced. But then again things don’t happen because they should; they happen (or don’t) because of money.

  20. cornish says:

    I guess I shouldn’t be surprised that in this day-and-age there are still e-tailers that store credit card and CVV2 numbers in their databases. Completely unnecessary.

  21. Raving Rabbid says:

    The story:

    -The chain goes bankrupt
    -The IP gets bought
    -The new owner of the IP launches site
    -Site gets breached

    The end.

  22. mthrndr says:

    who the fuck would buy from montgomery ward when there is amazon.com?

  23. skeleem_skalarm says:

    Like many of us here, I didn’t even know MW was still in existence. Anyway, I’m glad I don’t have one of their cards.

  24. Hey don’t knock MW, the real company was pretty cool back in the day. A lot of my clothes growing up came from there.

    At least it didn’t stick around forever and become the definition of suckage like Sears has. As @RavingRabbid said, there’s no connection to the old chain This direct marketing outfit bought the name, the domains, and a few brands in the bankruptcy sale, waited a couple years, and launched it as an online store that sells mainly home goods (bedding, bath, drapes, etc).

  25. econobiker says:

    As described a shell company bought the Wards name. The same gig happened to Service Merchandise when a shell company bought the jewlery department. The “new” Service Merchandise is basically two small storefront jewerly shops in the Nashville region…

  26. gliscameria says:

    Errrr?

    I worked at Wards during the bankruptcy. The liquidators were AHOLES that would kick their grandmothers in the teeth so they could sell the fillings. I’m suprised they weren’t caught selling card #s for cash on the subway. I knew a lady that worked there for like 40 years and they raped her pension…

    I’ve never seen so much fruad and theft in my life. People got caught stealing thousands of dollars (in cash and merch) and were asked to leave the store, with no charges filed, because the liquidators didn’t want to fly across the country to prosecute, not to mention the liquidators themselves stealing electronics.

  27. Consumer007 says:

    Ummmm…charge Milgrom as a conspirator to the theft. That will make other Capital-L loser CEOs think twice, no won’t it?

  28. BillsBurg says:

    Wow when I was a kid there was a Monkey Wards just on the other side of a park bordering my neighborhood. They had a great cafeteria, use to go there and order fries and a soda after school, and if I has enough cash maybe a hot dog or two.

  29. PSTOKELY says:

    @mthrndr:

    Probably those over 50

  30. ShadowFalls says:

    Heh, that placed closed up years ago around here, now I know why…

  31. mac-phisto says:

    ok, i have a BIG problem with this statement:

    [Avivah Litan, an analyst at Gartner Inc.,] says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in “card not present” transactions over the Web and mail order. Until fraud actually appears on the card, they’d rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

    speaking from the card side of the equation, she’s full of shit. do i like reordering compromised cards? no, not at all. they cost roughly $7/card to process, it pisses off my members & we sometimes lose accounts b/c people think we are responsible for the theft.

    but if she thinks i would rather do chargebacks than replace cards, she’s a flaming hole. the entire process takes forever, it greatly inconveniences my members & each chargeback costs my company $25. PLUS, i need to status their card & order a new one (which means the cost is actually ~$32 per).

    she could have said that cc companies don’t want you to know how unsafe the cards are to use so you don’t become too scared to use them, but saying we’d like to wade thru mountains of chargebacks over mountains of reissues is bullshit.

  32. Segador says:

    I hate to break it to you guys, but this happens to banks all the time. Like 3-4 times a months. American banks are routinely cracked/stolen from by russian/chinese hackers, but the banks NEVER report these instances because they, and the government, don’t want an erosion of confidence in the banking system. If you use a US bank, there’s a 99.9% chance that all your banking info is nestled comfortably in a hard drive in Moscow.

  33. themaskedmarauder says:

    Echoing the echoing sentiment of “Who knew Montgomery Ward was still around?” You mean I could have been buying industrial blue jeans and generic shirts all this time? Along with a lawn mower and an ice cream maker? And I have been denied?