Hackers Selling Stolen Credit Cards Lead To Montgomery Ward Parent Company Breach Exposure
At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.
The financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.
An online chatter was detected in June by Affinion Group Inc.’s CardCops, a group of investigators who track payment-card theft for financial institutions. In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant. CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.
Along with the card numbers, their three-digit “security codes” and expiration dates, the thieves had the cardholders’ names, addresses and phone numbers. The data had been organized in the same way, indicating the numbers likely came from the same database. The vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.
When cardholders were contacted, the first eight said they had bought things online or through mail order from Montgomery Ward. Further investigation showed that there is a high probability that the entire database of Montgomery Ward was breached.
Direct Marketing Services immediately informed its payment processor and Visa and MasterCard and closely followed a set of guidelines, issued by Visa, on how to respond to a security breach, including a report to the U.S. Secret Service. Those guidelines from Visa are largely technical, and do not require the organizations that have been hacked to come clean to the affected consumers, not just to the financial industry. Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.
As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years. Direct Marketing Services now plans to contact consumers.
It is not clear whether the hackers were inflating their claim when they offered 200,000 records or whether the official number of 51,000 is accurate.
More on CyberInsecure:
Posts
December 21st, 2011 at 6:36 am
I think I have been part of a lot of people that have been robbed. On october I received an application of a Flexcard Program to fix credit. They offered. Credit Card with $1500 cash, $10,000 unsecured credit and even car loan. You can imagine. There was a security deposit that had to be made with a credit card payable to a Ward Card Co. I am from Puerto Rico but I was willing to fin my credit which I’m doing with Lexinton Law. The Flexcard was suppose to arrive in 15 days (I’m still waiting), the office supposely in Florida, and the phone number: (561)921-2600. Everything is closed and no credit card, no e-mail address, no one answering the phone, the office is currently closed. And no security deposit. It’s a shame that at my 63 years old I go thru this situation. That shows that gold can be offerred to me and I don’t want it. You can publish this letter so anyone else fall’s into the Flexcard Program Fraud. Thank you.