business news in context, analysis with attitude

The New York Times reports this morning that the US Department of Justice has indicted three men – a Miami man and two Russian co-conspirators – who, it says, were responsible for the theft of more than 130 million credit card and debit card numbers between late 2006 and early 2008, a scam that affected the computer systems of retailers that included Hannaford Brothers and c-store chain 7-Eleven, as well as Heartland Payment Systems, a payment processor.

According to the indictment, at least some of those credit card numbers were sold online to people who used them to make unauthorized purchases. The Miami man, Albert Gonzales, is already in custody because of charges in another identify theft case; it is unknown how or if the Justice Department will be able to arrest and try the Russians in the case. The Times writes that “each defendant faces the possibility of 35 years in prison, and more than $1 million in fines or twice the amount made from the crime, whichever is greater.”

Some interesting notes in the Times story:

• “Prosecutors called it the largest case of computer crime and identity theft ever prosecuted.”

• “Mr. Gonzalez once worked with federal investigators. In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold.”

And perhaps the most sobering line from the article:

• “Although some states require card issuers to notify customers about security breaches, it is unclear whether all individuals whose card numbers were stolen in this case have been notified and offered new account numbers.”
KC's View:
Want to know something else that’s scary? Gonzales is only 28 years old, according to the Times story…which means she’s squeezed a lot of larceny into a relatively short lifespan using a technological facility that most of us can barely understand.

Perhaps the most important lesson from this case comes from how Hannaford dealt with it – the company got a lot of criticism for holding back on informing its customers about the breach of its systems, and creating a situation in which at least some of its affected shoppers found out about the problem with their cards by reading the Boston Globe and other newspapers.

That’s never how you want your shoppers to find out.

Now, Hannaford probably has a good defense – that to have told its customers any sooner might have jeopardized the federal investigation into the breach. But this is a tough one, and the company had to worry that its shoppers might feel that among other things, their confidence had been breached.

That’s never how you want your shoppers to feel.

One can only imagine how often these things happen. (Though maybe it is better not to think about it too much…we’d all go back to hiding cash in our mattresses.) It seems like several times over the past few months we’ve gotten new debit cards to replace existing cards in our wallets, with a note saying that this was just a precaution because of a feared breach of bank or retailer systems.