About this blog

Bob Sullivan

Corporate sneakiness. Government waste. Technology run amok. Outright scams. The Red Tape Chronicles is MSNBC.com's effort to unmask these 21st Century headaches and offer real solutions that save you time and money.

Bob Sullivan covers Internet scams and consumer fraud for MSNBC.com. He is the winner of multiple journalism awards for his coverage of online crime and author of Gotcha Capitalism: How Hidden Fees Rip You Off Every Day and What You Can Do About It. and Your Evil Twin: Behind the Identity Theft Epidemic.

Got some red tape you want Bob to untangle? Write BobSullivan@
feedback.msnbc.com.

How refreshing: Retailer admits data theft

Posted: Monday, March 17 at 04:34 pm CT by Bob Sullivan

It was good to see the Hannaford Bros. grocery chain step forward Monday and admit it was the retailer that had suffered a credit card and debit card hacker attack. Criminals had access to account numbers from Dec. 7 to March 10, and stole a whopping 4.2 million credit and debit card numbers while they were transmitted for authorization, the company said. (see full story)

The company's announcement came only hours after the Massachusetts Bankers Association issued a statement indicating that it had been warned about a leak at a "major retailer" by Visa and MasterCard, while complaining that the credit card associations wouldn't reveal the name of the store chain. An initial version of this column offered the same lament.

The card associations routinely keep such information a secret, and banks are getting tired of that. You should be, too

"Releasing the name of the retailer would make all of our lives easier and safer,” Daniel J. Forte, the association’s CEO, said said before Hannaford was identified as target of the data theft. “Customers who didn’t shop there would be put at ease, and banks could do more efficient investigations to better protect

Credit card users are often the last to know when a criminal has access to their data. That's because it usually falls to the affected banks to decide which consumers – if any -- to tell.

Even when the name of the retailer is made public, disclosure takes place in fits and starts. The infamous TJ Maxx data leak, which ultimately was determined to have affected nearly 50 million account numbers, occurred in December 2006. The company announced the leak one month later, but only recently did it begin notifying individual consumers.

In other data leaks, disclosure of the impacted retailer can take months. Sometimes, the name is never revealed.

"Consumers always want to know where the breach took place. That’s one of the first things affected consumers ask their banks, right after ‘will I get my money back?’" said Avivah Litan, a bank security analyst at consulting firm Gartner. "They ... have a right to know. After all it’s their money and their time that is involved, and it may influence their future purchasing decisions."

One reason that credit card associations maintain a policy of not naming retailers involved in data leaks is that the fault might lie with the store's credit card processing firm or somewhere else along the data chain.

Chris Monteiro, a spokesman for MasterCard, the MasterCard spokesman, said that the credit card association also cannot release the information because it is “the subject of an ongoing law enforcement investigation.”

Banks, on the other hand, are increasingly calling for early disclosure of data leakers, says Litan.

"The banks obviously want to be able to inform their cardholders where the breach took place, so that consumers don’t blame their bank for the theft," she said.

Credit card associations like Visa and MasterCard are often the first to notice when a large block of account numbers is stolen, because they see the fraud pattern before the merchant. Consumers could benefit from early warning -- particularly debit card holders, who may find their checking accounts drained by thieves.

In either case, consumers are entitled to prompt refunds of money taken by account number thieves, and have zero liability for fraudulent charges made by credit card crooks.

RED TAPE WRESTLING TIPS
Sometimes when data is stolen or missing, it's not clear whether ID thieves actually have control of it. Not so in this case; Hannaford told the Associated Press it's aware of 1,800 cases of fraud related to the data theft.

Consumers simply have to challenge fraudulent charges with their credit card companies. Those who lose money in their checking accounts to fraudulent debit card transactions must get refunds from their banks withing 10 days, according to federal banking regulations.

Meanwhile, it's always a good idea to use online banking services to check account balances every few days and make sure nothing is out of whack. If there is, the sooner your report the problem the better.

MAIN PAGE NEXT POST Credit scores 102: A crisis, and some changes

Email this EMAIL THIS

5 COMMENTS

At the least, they should release the type of store. If I knew for example that it was a children's goods store or a women's clothing store I, as a single man, would know that it didn't include me even without the store's actual name.

Charles J in San Diego, CA (Sent Mar 17, 2008 4:29:41 PM)

Hopefully this event will be another reason that merchants work to not store credit/debit card data after transactions post and secure their systems from intusions from hackers.

(Sent Mar 17, 2008 4:37:47 PM)

This is really disturbing as a resident of Massachusetts.

M. Putvin, Fall River, Ma (Sent Mar 17, 2008 4:40:07 PM)

I think everyone should send a copy of this article to all of their state reps and ask that they pass a bill that when these happen the public is told right away.. and the what, where and why's are given so consumers can figure out if the may have been affected or not by the leak.

Tara, Boston, MA (Sent Mar 17, 2008 4:41:03 PM)

Who makes these rules? And how can they sleep at night? Why is Big Business ALWAYS put ahead of the citizens?

Kathleen, Helena, MT (Sent Mar 17, 2008 4:44:55 PM)

SEND A COMMENT

PLEASE READ: All comments must be approved before appearing in the thread; time and space constraints prevent all comments from appearing. We will only approve comments that are directly related to the blog, use appropriate language and are not attacking the comments of others. Firms mentioned in our comment area are welcome to add their own comments.

Message (please, no HTML tags. Web addresses will be hyperlinked):

Your name, city and state (John Doe, Seattle, Wash.):

Your e-mail address (Optional, will be published):

Your website (it's okay if you don't have one):

Remember me? (We'll keep it private)

TRACKBACKS

Trackbacks are links to weblogs that reference this post. Like comments, trackbacks do no appear until approved by us. The trackback URL for this post is: http://www.typepad.com/t/trackback/454638/27187106

BUY BOB SULLIVAN'S NEW BOOK

Cover_crunched_by_media Bob Sullivan's new book unmasks hundreds of hidden fees and offers step-by-step instructions on how to fight back. Order it here.

Syndicate this site

RSS is an easy way to get the news you want as it is updated even if you are not on MSNBC.com. More information about MSNBC.com's RSS feeds.

XML

Archives

More consumer news

Consumer Man, aka Herb Weisbaum, exposes scams and answers questions

Other useful links