NewsDude

An old name in retail was hit by a modern scourge -- a hack of its customers' credit card numbers -- but didn't inform the consumers, revealing how data breaches might be heavily undercounted even with new notification laws.
At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.
Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard. Then, Milgrom said, Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach. That included a report to the U.S. Secret Service. He said he believed by the end of December that Direct Marketing Services had met its obligations.
However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.
Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.
As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years.
After being asked about...

More...