Since Montgomery Ward declared bankruptcy in 2001, this announcement might sound confusing, but the company was resurrected in 2004 under the name Direct Marketing Services Incorporated. Direct Market Services sells merchandise online under the names Wards.com, SearsHomeCenter.com, SearsShowplace.com, SearsRoomforKids.com, and two more.
When the site discovered the hack in December, they did notify their payment processors, Visa and Mastercard, but failed to notify any individual customers. Of course, they now plan to do so after being asked about it by the Associated Press.
The hat tip in this instance goes to CardCops, a group of cyber sleuths who track stolen payment card data in underground carder forums for financial institutions. CardCops spotted a group of 200,000 card numbers for sale (including CVC data) on one of the forums (chatrooms) they were monitoring. After tracing some of these cards to their owners, they discovered that they had one thing in common—Wards.
When asked for some commentary, Visa declined to comment, MasterCard stated they warned the issuing banks to watch for suspicious activity, and Discover stated they issued new cards.
Wards is not alone in not notifying their customers or the public promptly when a data breach occurs. This was recently lamented in a post suggesting we are a long way from full disclosure in data breaches.
Even without all the known data breaches, there are many that are never discovered. Besides that, information is stolen all the time on a smaller scale by dishonest employees, phishing and—despite all the shredders—from the trash.
The sad truth is from the criminal perspective, stolen information that hasn't been detected is worth more than information that is known to be "hot."
If you would like to see more information on the known data breaches, the DLDOS database at Attrition.org is a good resource. PogoWasRight is also another place that covers the privacy concerns arising from this problem, which faces us all.
Article comments