DSW Settles With FTC Over Data Breach

About nine months after divulging a data breach affecting up to 1.5 million consumers, shoe retailer DSW Inc. settled charges with the Federal Trade Commission, the FTC said yesterday.

DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. Though the number of consumers affected was not made public, reports cited Secret Service sources that estimated 100,000. Stolen data included credit card information and purchase data. On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation of the breach saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Security firm Ubizen conducted the investigation, though law enforcement continues to investigate the breach as well. A list of affected retail stores and more information for consumers are posted at www.dswshoe.com.

“Until at least March 2005, respondent engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information collected at its stores,” the FTC complaint against DSW alleged.

According to the FTC, the company created unnecessary risks to data by storing it in multiple files when it was no longer needed; failed to use readily available security measures; stored information in unencrypted files; failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and failed to take sufficient measures to detect unauthorized access.

Information obtained from the credit card transactions included names, credit or debit card numbers and purchase amounts. The check transaction thefts divulged checking account numbers and driver's license numbers only. Retail Ventures said the stolen data did not include Social Security numbers, debit card personal identification numbers or addresses, and no Internet or loyalty program data were accessed.

The bulk of these transactions occurred from mid-November 2004 to mid-February 2005, Retail Ventures said. The firm provided the stolen credit card numbers to American Express, Discover, Visa and MasterCard, which alerted the issuing banks. DSW is sending letters to the roughly half of the cardholders for whom it was able to obtain contact information. It also identified about 88 percent of the check customers and is notifying them as well.

Under DSW's agreement with the FTC, the retailer does not admit to violating any laws but agrees to implement comprehensive information security measures and must be audited by a qualified independent third-party security professional every other year for 20 years. The FTC will monitor compliance. The FTC voted 4-0 to accept the proposed consent agreement. The agreement is subject to public comment until Jan. 2 when the commission decides whether to finalize it.

Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters

Related Posts