Montgomery Ward's Hacked 6 Months Ago, But Victims Weren't Told

Somewhere between 51,000 and 200,000 records were stolen from Montgomery Ward’s servers last December—the company says it’s the smaller number, but CardCops, the group that spotted the hack in the first place, “spotted hackers touting the sale of 200,000 payment cards belonging to one merchant” in June, which is how the story became public. Montgomery Wards knew about the breach when it happened, and although they reported the crime to federal investigators, they didn’t tell any of the victims. The CEO of Direct Marketing Services, which owns the Montgomery Ward name, told the Associated Press that after he alerted investigators he felt his company “had met its obligations.”

In case you needed more evidence that Direct Marketing Services isn’t exactly a top-of-the-line company when it comes to data security, management, or customer relations, the breach wasn’t even discovered internally:

Direct Marketing Services’ CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.

After the story broke last week, the company announced plans to contact the victims of the breach.

Direct Marketing Services says it now plans to contact the victims of the breach, but of course that’s only to avoid further bad press now that the story has broken. Fortunately, they contacted credit card companies when they were first notified of the breach, so the industry has been monitoring suspect accounts and/or issuing new cards as needed. If you shopped at the Montgomery Wards website and found your Discover, for example, you may have been a victim. Congrats.

So why wasn’t it reported? Because it’s financially more rewarding to flout the regulations that require it if you’re dealing with online transactions:

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in “card not present” transactions over the Web and mail order. Until fraud actually appears on the card, they’d rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

“What it reveals is the convoluted banking system,” she said. “If this had taken place at a grocery store, we all would have heard about it.”

You know what would make for some good PR? If an online company stepped forth and made a commitment to reveal data breaches in a timely manner, and hired an outside auditing firm to enforce said pledge. Instead, we’ll start the countdown to a class action lawsuit against Direct Marketing Services.

“Wards didn’t tell consumers about credit card hack” [Associated Press]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.