Did stores hush up credit card scam?

By The Wall Street Journal

Most states mandate that companies tell their customers when their credit card data is stolen from stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft.

But when federal prosecutors disclosed last week that computer hackers had swiped more than 40 million credit card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.

That's because only four of the chains clearly alerted their customers to the breaches. Two others, Boston Market and Forever 21, say they never told customers because they never confirmed data had been stolen from them.

• Talk back: What's your ID-theft nightmare?

The other retailers -– OfficeMax, Barnes & Noble and Sports Authority –- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.

The other companies allegedly targeted by the ring charged last week were TJX, BJ's Wholesale Club, shoe retailer DSW and restaurant chain Dave & Buster's. They each disclosed to customers, shortly after the intrusions were discovered, that they were breached.

The disclosure issue emerged after the government charged 11 men in five countries, including the United State, Ukraine and China, with orchestrating a high-tech operation to steal credit card numbers from 2003 to 2008.

After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen.

Companies typically have made disclosures by letter, whenever possible, and through public announcements on their Web sites and in press releases to the media.

Disclosure allows consumers to act quickly to limit losses by canceling their credit cards, changing their passwords or setting up credit-monitoring services.

The Federal Trade Commission estimates that nearly $50 billion is lost annually as a result of identity theft and credit card fraud, with part of it absorbed by banks.

"If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data-breach expert.

"If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.

Dan Clements, the chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches.

"Telling the public that they've been breached is embarrassing for them. It makes them suffer a loss of good will, and, in the case of public companies, the stock price goes down."

Continued: At odds with government investigators

 1 | 2 | next >