DSW Settles With FTC Over Data Breach

Share this article:
About nine months after divulging a data breach affecting up to 1.5 million consumers, shoe retailer DSW Inc. settled charges with the Federal Trade Commission, the FTC said yesterday.


DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. Though the number of consumers affected was not made public, reports cited Secret Service sources that estimated 100,000. Stolen data included credit card information and purchase data. On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation of the breach saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Security firm Ubizen conducted the investigation, though law enforcement continues to investigate the breach as well. A list of affected retail stores and more information for consumers are posted at www.dswshoe.com.


"Until at least March 2005, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information collected at its stores," the FTC complaint against DSW alleged.


According to the FTC, the company created unnecessary risks to data by storing it in multiple files when it was no longer needed; failed to use readily available security measures; stored information in unencrypted files; failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and failed to take sufficient measures to detect unauthorized access.


Information obtained from the credit card transactions included names, credit or debit card numbers and purchase amounts. The check transaction thefts divulged checking account numbers and driver's license numbers only. Retail Ventures said the stolen data did not include Social Security numbers, debit card personal identification numbers or addresses, and no Internet or loyalty program data were accessed.


The bulk of these transactions occurred from mid-November 2004 to mid-February 2005, Retail Ventures said. The firm provided the stolen credit card numbers to American Express, Discover, Visa and MasterCard, which alerted the issuing banks. DSW is sending letters to the roughly half of the cardholders for whom it was able to obtain contact information. It also identified about 88 percent of the check customers and is notifying them as well.


Under DSW's agreement with the FTC, the retailer does not admit to violating any laws but agrees to implement comprehensive information security measures and must be audited by a qualified independent third-party security professional every other year for 20 years. The FTC will monitor compliance. The FTC voted 4-0 to accept the proposed consent agreement. The agreement is subject to public comment until Jan. 2 when the commission decides whether to finalize it.


Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters


Share this article:
close

Next Article in Multichannel Marketing

Sign up to our newsletters

Follow us on Twitter @dmnews

Latest Jobs:

More in Multichannel Marketing

Generating Loyalty for Brands and Retailers in an Omnichannel World

Generating Loyalty for Brands and Retailers in an ...

Harnessing personas, loyalty programs, and new technologies can help marketers better connect with customers.

News Byte: Salesforce Forms Unit to Focus on Verticals

News Byte: Salesforce Forms Unit to Focus on ...

The industries business unit, led by ex-White House CIO Vivek Kundra, will serve six industry groupings.

Columbia U. Puts the "Do" in "Donation"

Columbia U. Puts the "Do" in "Donation"

Columbia University raises nearly $7 million in donations in just 24 hours with a combination of social media, live events, and gamification.