Sunday, June 29, 2008

Wards will now start notifying customers their information was stolen in December

The Associated Press announced on Friday that old time retailer Montgomery Ward is the latest victim of a data breach, where at least 51,000 records were compromised. The unfortunate problem now is they failed to notify the victims, which is the law in 44 States.

Since Montgomery Ward declared bankruptcy in 2001 this announcement might sound confusing, but the company was resurrected in 2004 under the name, Direct Marketing Services Incorporated. Direct Market Services sells merchandise under the names,,, (and two more) online.

Allegedly, hackers gained access by going through another Direct Marketing Services site,

When they discovered the hack in December, they did notify their payment processor, Visa and Mastercard, but failed to notify any individual customers. Of course, they now plan to do so after being asked about it by the Associated Press.

The hat tip in this instance goes to CardCops, which a group of cyber sleuths who track stolen payment card data in underground carder forums for financial institutions. CardsCops spotted a group of 200,000 card numbers for sale (including CVC data) on one of the forums (chatrooms) they were monitoring. After tracing some of these cards to their owners, they discovered that they were had one thing in common (Wards).

At this point, it is unclear on whether the official estimate of 51,000 missing records is correct, or the hackers misrepresented the number of cards available in their underground forum.

When asked for some commentary, Visa declined to comment, MasterCard stated they warned the issuing banks to watch for suspicious activity and Discover stated they issued new cards.

Wards is not alone in not notifying their customers, or the public promptly when a data breach occurs. Recently lamented about this in a post suggesting we are a long way from full disclosure in data breaches.

Even without all the known data breaches, there are many that are never discovered. Besides that, information is stolen all the time on a smaller scale by dishonest employees, phishing and (despite all the shredders) from the trash.

The sad truth is from the criminal perspective, stolen information that hasn't been detected is worth more than information that is known to be "hot."

If you would like to see more information on the known data breaches, the DLDOS database at is a good resource. PogoWasRight is also another place that covers the privacy concerns arising from this problem, which faces us all.

No comments: