Some Stores Fail to Notify Consumers on Massive Card Data Breach

Some of the companies which had data stolen, leading to last week’s ("Feds Charge 11 in Theft of 40 Million Credit Card Accounts," Aug. 6) did not inform customers about the breaches despite laws requiring them to do so, according to a report in today’s Wall Street Journal.

More than 40 million credit card and debit card numbers were stolen over a five-year period, according to the indictment. But only two retailers clearly alerted their customers, according to the story.

Forty states have laws, many patterned after California Senate Bill 1386, requiring notification of affected parties in the event of a data breach. The laws differ somewhat in wording, but the California legislation, affecting any companies that do business in the state, require notification if a breach occurs regardless of whether any fraud is actually committed.

Yet major retailers including Office Max Inc., Barnes and Noble Inc. and Sports Authority Inc., did not follow through with this rule, according to the Journal.

According to prosecutors, the thefts had been taking place since 2003. But the scope and scale of the operation was not realized until TJX Cos., owners of T.J. Maxx and Marshalls, announced in March 2007 a security breach going back to 2005 that involved some 45 million consumer accounts (“TJX Says 45.7 million Credit Card Numbers Stolen in Breach,” March 30, 2007).

When authorities began investigating that breach, they discovered that many announced security breaches, which seemed unrelated, were in fact done by the same people.