A couple of months ago my credit card company called me about some strange charges on my credit card. I am sure they have all my purchases categorized, scored and modeled and knew right away that I probably didn't make these charges. I assumed my card got compromised when I ordered race pictures from Snapfish.com. The Credit Card company said no problem, they will block the charges and issue me a new card.
A couple of weeks ago I came across a thread on MTBR, titled
Nashbar Credit Card Fraud, talking about how Bike Nashbar had their systems compromised and how a lot of the credit card information got stolen. After reading this I realized that it wasn't Snapfish, it was really Nashbar! My last charge was in January and the pieces all of a sudden came together.
After reading about the issue, and this was on the heels of making another purchase from them, I sent them a note expressing my displeasure in this situation and whether I would continue to be a customer. I got a response that they will be sending me a letter addressing the issue.
Nashbar Direct, Inc. ("Nashbar") takes the privacy of its customers very seriously. We regret to inform you that our previous website servers were recently the subject of an illegal attach that allowed unknown persons to obtain the names, addresses, email addresses, web account passowrd, and credit or debit card information of some of our valued customers, even though such information was encrypted ...
Now, what I would like to know is whether or not I would have gotten this letter if I had not sent my note into their customer service. Since they say some of our valued customers leads me to believe that they have no clue on the extent of the penetration, this also comes from reading the thread on MTBR, too. They go on to say that my identity is safe because they don't have my social security number.
Included in the letter was a FAQ and the one that seems most poignant is:
2. When did this happen?
While the attack was confirmed on May 18, 2009, it appears that the unauthorized access began in December 2008. We began received a small number of customer complaints about unauthorized charges in mid-February 2009. The outside vendor who hosted our website informed us that it could find no evidence that a breach had occurred, but we were concerned about the security of our customers' information. We shut down the compromised website environment on March 3, 2009 ...
So, Nashbar new there was a problem mid-February and it took them three weeks to shut the site down. Nice! You would think in this day and age, with the rampant spread of credit card fraud that this would have been a tell tale sign they had a problem and shut down this site upon the first notification. But they didn't because they probably doubted the claims at first. Apparently, Nashbar also shares your credit card information with third parties for marketing purposes, which means, although I am sure that they would never admit to it that it could have been an inside job.
At the bottom of the letter they tell me that they value me as a cutomer and are offering me a 30% discount on my next purchase (within a certain period of time, of course). This translates to 30 cents on the dollar to bring me back as a customer but that seems to me kind of cheap. Maybe if I spent a lot more money there I would have gotten a bigger offer. Never-the-less, I will definitely use the coupon but I will probably think twice about ordering from them in the future.