[ISN] Shoppers' data stolen from DSW shoe stores

InfoSec News isn at c4i.org
Wed Apr 20 04:14:27 EDT 2005


April 20, 2005

If you shopped at the Dadeland DSW Shoe Warehouse during the past two
years and paid with a credit card, debit card or check, your credit
information is now in the hands of thieves.

It is the latest in a rash of security breaches involving personal
data that can be used to steal an individual's identity.

The shoe retailer didn't offer details of how its computer system was
hacked but said the theft included data from 1.4 million credit and
debit card transactions and 96,000 check transactions at 108 stores,
including those in Miami near Dadeland Mall, Aventura, Davie, Boca
Raton and West Palm Beach.

The affected transactions occured between mid-November 2004 and
mid-February 2005, except at the Dadeland store, where the theft
stretched back to early 2003.

''We don't know why that location was targeted,'' said Rob Whitehouse,
a DSW spokesman.

For each credit or debit card, stolen information included card
number, name and transaction amount. Address, PIN numbers and any
other personal info was not stolen, the company said.

With checks, checking account numbers and driver's licenses were
obtained, but not customer names, addresses or Social Security

The DSW thefts are one in a string of recent high-profile incidents
involving confidential consumer data. Thieves may have accessed as
many as 310,000 Social Security numbers from LexisNexis databases.  
Earlier this year, the ChoicePoint data clearinghouse revealed thieves
posing as legitimate clients bought information on 145,000 people.  
Bank of America also revealed it ''lost'' computer data tapes with
account information on more than one million federal employees.

Sen. Bill Nelson, D-Fla., is one of several legislators taking steps
to strengthen laws to offer consumers more protection for their
personal and financial information. Nelson has introduced a bill that
would require the Federal Trade Commission to establish safeguards
that would apply to any company warehousing consumer financial data.

''There are millions of Americans right now whose entire life history
is flying around in somebody's hands,'' said Dan McLaughlin, a Nelson


At DSW, neither the Southland Mall location, which was not open in
February when the company's computer system got hacked, nor the store
at Kendall Ridge Center was hit.

Identity theft experts say this didn't have to happen.

''This is sloppy handling of information or poor security
procedures,'' said Jay Foley, co-founder of the Identity Theft
Resource Center in San Diego, a nonprofit organization that assists
victims of identity theft. ``Somewhere there's a flaw in the system if
they're allowed to lose this much information.''

Customers who made purchases at DSW stores during the affected time
periods are urged to pay close attention to their credit card or bank
statements for unusual activity.

They should also contact their bank or credit card company for
additional guidance. Customers can also check the company's website
www.dswshoe.com for more information.

''We understand that our customers feel violated by this criminal act,
and we feel the same,'' said a statement from Debbie Ferree, DSW's
president. ``Our sincere apologies go out to our customers for the
inconvenience this may have caused. We will continue to work with
authorities to identify and prosecute those responsible for this crime
to the full extent of the law.''

With its rows of discounted men's and women's shoes, DSW is a mecca
for shoe lovers.

But Lilly Lancent, a South Miami resident who buys shoes at the
Dadeland DSW store several times a month, said Tuesday she was shocked
to hear the news of the identity theft, especially after using her
credit card to buy a new pair of shoes.

''I think customers have a right to know that this is going on,'' said
Lancet, clutching a black-and-white striped DSW bag. ``I shouldn't be
shopping and putting my trust in a place where things are shady.''

Others said they were aware the store had had problems and have made
changes in their purchasing habits. DSW first announced some customer
information had been compromised last month.

''I paid with cash because I'd heard about it,'' said Claudia Farfan,
an interior designer from Doral, who stopped by the Dadeland store
Tuesday between client visits. ``You never know -- it just makes you
very cautious.''


DSW said it contacted the U.S. attorney's office and the U.S. Secret
Service within 24 hours after discovering the theft.

Ray Lopez, assistant to the special agent in charge with the Miami
office of the Secret Service confirmed the matter remains under active
investigation, but would not discuss the details.

The retailer also immediately notified all major credit card companies
-- Visa, MasterCard, Discover and American Express -- and provided the
companies with the stolen credit and debit card numbers. DSW said it
hired a computer security firm to conduct a forensic investigation
regarding what happened and take steps to prevent any repeat
situations. But the company won't elaborate on the changes that have
been made, Whitehouse said.

''We don't want to give them any clues,'' he said.

More information about the ISN mailing list