Six months. That’s how long it took for one of the nation’s oldest retailers to commit to coming clean about a hacking incident that compromised at least 51,000 records.
The retailer, Montgomery Ward, was recently quoted in an AP story saying it would contact the people affected by the incident, believed to have taken place back in December. That commitment only occurred after the reporter asked a Montgomery Ward exec if he was going to let the victims in on the secret.
Surprisingly, 44 states have some form of notification mandate when such occurrences arise. Regardless, research firm Gartner believes unreported breaches probably outnumber the reported ones. Fear of negative publicity is the No. 1 reason why so many are swept under the covers. Remember the firestorm resulting from the breach at TJX?
It appears that common point of purchase (CPP as it’s called in the trade) analysis led the victims and the AP to the discovery. According to the story, an investigative firm focusing on payment card theft noticed in June that alleged hackers were offering the sale of some 200,000 payment cards in online chat rooms frequented by assorted cyber criminals. Data was also available on the card holders’ security codes, expiration dates, addresses and phone numbers.
However, Montgomery Ward knew about the incident in December. The company followed Visa’s “guidelines” to a T. That included a report to the U.S. Secret Service. But according to the story, the guidelines did not include notifying customers.
Only 15 percent of identity theft victims learn they are breached from the company responsible for it, according to the Identity Theft Research Center. That means the rest find out the hard way.
It appears many companies would rather roll the dice on being caught by states rather than being proactive about disclosure which, to some extent, is understandable. After all, backlash from such an event could prove fatal for a small company. It’s also fully understandable (not in Ward’s case) that firms often don’t even know they’ve been breached, particularly the ones that don’t have security and PCI compliance partners.
I’m curious. Imagine for a minute your company’s database or Website has been hacked. Now imagine the breach was substantial, perhaps compromising 80 percent of your customers’ records. What’s the best way to handle such a crisis, knowing full well that negative publicity could be catastrophic? What roles should the credit card companies, processors and merchants play in this unsavory process?
‘Til Next Time,
Joan
The eSecurity Diva
For the complete story read:
http://ap.google.com/article/ALeqM5hMgFbRpfc74PW0CvbF3kFbWFkHsAD91IJCHG2
The Ward situation is complicated and I am not privy to all the details. Nor do I want to disparage Ward since I also know the media can misinterpret facts, but e-tailers need to ready for a breach.
I ran communications for a major credit reporting company for the past five years, and our company provided services that helped these companies mitigate such problems, providing credit monitoring and fulfillment support for their customers.
While I can't quote statistics, clearly those companies that were proactive and transparent maintained their credibility with their customers, and survived the storm. Your relationship with your customers is like a marriage, you need to be honest and straightforward with your partner...or they will leave you!
That said, I disagree with advocates who claim that companies must disclose a breach immediately after learning of an attack. It is critical the affected company conduct a swift investigation before spreading potentially unnecessary panic among consumers. A few weeks may seem like an eternity, but a rush to judgment can cause even worse damage.
Posted by: David Rubinger | July 18, 2008 at 04:20 PM