DSW Data Breach Affects Nearly 1.5 MillionThough DSW Shoe Warehouse parent Retail Ventures Inc. initially kept mum on how many customers may be affected by a transactional data breach announced in March, it revealed this week that just shy of 1.5 million consumers' personal data had been stolen.
Also yesterday, Ameritrade said account information may have been lost for up to 200,000 customers when a package containing tapes with back-up information on customer accounts went missing. According to wire reports, the online broker said it was told in February that a package with four data cassettes of current and former Ameritrade account holders' information from 2000 to 2003 was misplaced by a shipping company that Ameritrade uses.
Three of the four tapes were recovered at the shipper's Maryland facility. Ameritrade declined to name the company. According to wire reports, Ameritrade reviewed the customer information that would be on the missing tape and concluded that only 175,000 customers needed to be notified. The company began sending letters last week.
Initially, Retail Ventures said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. Though the number of consumers affected was not made public, reports cited Secret Service sources that put it around 100,000. Stolen data included credit card information and purchase data.
On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation of the breach saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Security firm Ubizen conducted the investigation, though law enforcement continues to investigate the breach as well. A list of affected retail stores and more information for consumers are at www.dswshoe.com.
Information obtained from the credit card transactions included names, credit or debit card numbers and purchase amounts. The check transaction thefts divulged checking account numbers and driver's license numbers only. Retail Ventures said the stolen data did not include Social Security numbers, debit card personal identification numbers or addresses, and no Internet or loyalty program data were accessed.
The bulk of the affected transactions occurred between mid-November 2004 and mid-February 2005, Retail Ventures said. Stolen credit card numbers have been provided by the firm to American Express, Discover, Visa and MasterCard, which alerted the issuing banks. DSW is sending letters to about half of the cardholders for whom it was able to obtain contact information. It also has identified about 88 percent of the check customers and is notifying them as well.
Though at least one credit card issuer began warning consumers about another supposed retail data breach last week, Polo Ralph Lauren Corp. blamed the problem on a software glitch and said an investigation yielded no evidence of an internal or external breach. A Polo spokeswoman said the glitch was repaired April 15.
On April 14, the North American division of British credit card company HSBC PLC sent letters to 180,000 cardholders to inform them that their personal data may have been accessed via transactional data of a U.S. retailer. HSBC said consumers holding a General Motors-branded MasterCard may be affected and that letters were sent last week. The letter did not name the retailer but a Wall Street Journal report identified it as Polo Ralph Lauren.
MasterCard and Visa also acknowledged that they were aware of the breach, had notified the banks that issue their cards and that cardholders were protected from fraudulent charges to their accounts.
Also on April 18, New York attorney general Eliot Spitzer called for state legislation aimed at reducing identity theft through regulation of data brokers, consumer opt outs, mandatory data breach disclosure and tougher penalties for identity thieves and hackers, among other provisions.
Spitzer's proposal was preceded by several congressional committee hearings on identity theft and other state and federal bills introduced after high-profile data breaches at data providers ChoicePoint and LexisNexis.
Sens. Charles Schumer, D-NY, and Bill Nelson, D-FL, introduced an identity theft prevention bill April 12 that would create a Federal Trade Commission office of identity theft and require data providers to register with the FTC. Other provisions would institute safeguards to prevent fraudulent access to data and give consumers access and the option to fix errors.
The legislation also would mandate notice of third-party data disclosure and notification of data breaches. Provisions related to Social Security numbers would prohibit companies from asking for the numbers unless necessary for a transaction; prohibit display of Social Security numbers on employee IDs; ban the sale and purchase of the numbers except for law enforcement, national security and anti-fraud purposes; and grant the attorney general the ability to define exemptions.
On April 11, Sen. Dianne Feinstein, D-CA, offered a revised version of the Notification of Risk to Personal Data Act that she first introduced Jan. 24. The original bill required mandatory notification when sensitive data are breached. The revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters