after a security breach at
Nashbar.com resulted in fraud.
(Photo © J. Maus)
Northeast Portland resident Gabriel Tiller is sort of a bicycle renaissance man. He has won a national tall-bike jousting competition, taken top prize at the Zoobomb Century, earned a spot on the gravity-biking podium at the Maryhill Festival of Speed, he likes to do bike touring, and he has recently taken to mountain biking.
Most of the time, Tiller builds bikes from used parts lying around his garage or from the various sources around town. But often, he buys hard-to-find parts from an online retailer to feed his cycling habit.
Last week, he noticed several strange charges on his credit card that went to unfamiliar websites like “networkagenda.com,” “fedgrantusa.com,” and “gglprofit.com.” He immediately Googled them and found that there were many other people complaining online about similar fraudulent charges. A little more digging and he confirmed the culprit: Nashbar (also known as Bike Nashbar).
Nashbar (which is owned by North Carolina-based Performance Bicycle, Inc.) is a large, national online discount retailer of bike parts and accessories.
According to pages and pages of complaints from angry customers on BikeForums.net, Nashbar has acknowledged that one of their websites was hacked back in December 2008. However, according to this local newspaper story, the company didn’t tell customers about the security breach until July 1 of this year.
Also according to that story, Nashbar has sent out a letter to customers about the incident. Tiller says he has yet to receive a letter. He called Nashbar and they took down his details, but so far, they haven’t offered him any compensation.
I’ve tried several times to speak with someone at Nashbar about the issue. The two people I’ve gotten through to both refused to give me any information about the incident. The Nashbar “Customer Care” representative said she doesn’t handle information for the media, but she would not give me any other number to call. As I was trying to get more information from her, she just hung up the phone.
Nashbar has admitted that their customer’s credit card information was stolen in a security breach, yet they waited seven months to notify anyone about it and when asked to provide more information about the incident, they refused. (Update: I’m now trying to speak with someone at Performance).
As for Tiller, he’s keeping a close watch on his bank account.
Try contacting Performance Bicycle, they own Nashbar.
After I saw your first tweet, I went and checked and my CC company had changed my account number after 15 years, when I called they said that they had been been notified by a “compromised vendor”. I’ve used this card at Nashbar, really makes me wonder.
Wow. Security breaches are somewhat understandable (no one’s perfect), but Nashbar’s handling of the aftermath is really deplorable. I’ll make a mental note to NOT do business with them in the future.
Dear Nashbar: Honesty and transparency are both good ethics and good business. You’re shooting yourself in the foot.
I have been dealing with my bank for almost 2 months now trying to figure out where these exact same charges came from. I am now printing off this article and taking it to the bank. Thanks for the heads up.
He needs to contact his bank/credit card and report this a fraud, that is how he’ll get refunded. Performance/Nashbar isn’t going to refund.
This past spring, I got a really strange charge on a credit card I rarely use. Thankfully, the company emails me when charges are made. I called and canceled the card within minutes and they only got two charges to a really skeevy online get-rich-quick thing.
For the past three months I’ve been locking down my personal info and checking credit reports, checking passwords and security everywhere (I’m a web developer) in hopes of figuring out where this identity theft originated.
A friend told me about this yesterday and after I saw your tweet Jonathan, I decided to look up which card I used for a single purchase off Bike Nashbar last fall.
It was the card that was compromised. Figures.
Love them or hate them, I am with Bank of America. I setup an alert through thier website to send me an email if there is a charge to it.
It came in handy once when some in the Netherlands used it online. The faster you know about it, the better you can react.
I am glad I am not the only one. The same card # I used to shop with Nashbar was stolen from me and used to make purchases online. I did not put the two together until I got a call from Nashbar (more specifically a woman working for a PR company representing Nashbar) about a month ago. My card got used about a month after their breach. I can’t prove the two are connected but I wouldn’t be surprised if they are.
Just like the person in the story there was no offer of compensation, which honestly makes me quite mad. The same company sent out a bad email offer last week and after realizing they had made a mistake in the email sent out another email that same day offering free shipping as compensation for the earlier screw up. This makes you wonder why they would not offer anything to those of us who could have had our cards compromised. I haven’t gotten the letter yet but if they are smart they would include a coupon of some sort. If not they are getting an angry phone call and I will not shop there again.
You people are barking up the wrong tree.
Your bitch-and-moan, holier-than-thou, your-so-perfect attitude is helping Nothing. This kind of thing happens all the time, the card companies usually catch most of this stuff right away. You were unlucky, sorry. But if it’s fraud, you don’t have to pay. I’m sure it’s inconvenient, but making the whole town bitch about Nashbar is not the solution, sorry. Happy biking !!
RyNO, they *should* bitch about Nashbar – the site gets compromised in December 2008 and they wait 7 months to notify customers? That’s inexcusable, and a perfectly good reason to complain.
Yes, fraud is common, and with linked databased it gets more common all the time. Sure, credit card companies know how to deal with it. Neither of those facts excuses a company for waiting 5 months before notifying their customers that their information has been compromised.
and it sounds like now they want to clam up even more and not disclose anything to the press – not exactly open or transparent.
Yeah, I wouldn’t say they owe anyone a refund on those charges, but they do owe an explanation for why they failed to notify customers or, apparently, take any action to correct the situation.
There is a reason that compromised vendors are supposed to remain anonymous, why your card company is not supposed to tell you the name of the compromised vendor. And this scenario is exactly why. Sorry you don’t get it. Go for it, give em hell for getting hacked…..and pray it never happens to you…..
I got hit, too. Just got the letter, but I had charges from Google Profits and similar things. It started with calls to my cell phone to discuss the disc they were mailing me after I signed up online. They shipped discs twice and charged me for shipping. I reported all fraudulent charges and was credited by my card company. I also reported everything to the Oregon Attorney Generals office, and they followed up by letter, phone, and email. The fact that Nashbar knew about this and did not notify customers is inexcusable.
I’ve had fraudulent charges hit my credit card a few times over the past 10 years. It’s a pain but if you watch your statement and immediately report any unknown charges, you won’t have to pay anything and it shouldn’t impact your credit report in any way.
That said, Nashbar needs to explain what they’ve done to improve their credit card processing security – and until they do that, I have no intention of buying anything from them.
I do credit counseling for a living. When a creit card is branded with Visa/ Mastercard it entitles you to certain protections. Notify the credit card issuer (bank) that there was fraud and dispute the charges. If you don’t do this as soon as you know about the fraudulent charge you may be held liable for part of the charges. BikeNashbar will not eat the charges, but the card issuer or Visa/ Mastercard will. If it gets to be serious Visa/ Mastercard will make BikeNashbar repay them for fraud liability. BTW, You should not use your debit card for Online Purchases because if your checking account funds are compromised it will lead to all sorts of other problems which you will not be repaid for.
Thanks for the info: “You should not use your debit card for Online Purchases…”
That is the question that I wanted to ask.
So…..pay cash, and buy locally.
I’ll bet Bike Gallery, for instance, would be a whole lot faster to notify customers if their security was breached like that.
I also had fraudulent charges on my card in April – the same card I used to buy some stuff at Nashbar last year. W T F !?!?!?!?
You can bet I’ll never spend another dime at Performance OR Nashbar. Their (pack of) response to the breach is more upsetting that the breach itself.
I never received an email or letter from Nashbar. Unbelievable.
That should read ‘lack of’ not ‘pack of’. 😛
Security compromises are inevitable with todays technology. Pay attention to your accounts, be diligent with whom you do business and never assume anything. I was in Mexico this past Spring for our honeymoon. We paid cash for everything except for a daily rental of a vehicle, this was back in April. Went online yesterday to pay some bills and noticed a Samsclub purchase in Cancun?? Talk about WTF I don’t even shop at Sams or Walmart for that mattter. I Immediately called my banking establishment, notified them and cancelled my current card. It sucks to be the victim, however pay attention to your accounts and you should be able to stabilize the damage.
RyNO Dan said (among other things): “Go for it, give em hell for getting hacked”
I will. They were obviously storing credit card information in plain text. If you don’t have the proper security in place to protect your customer’s data, they have a right to know, and a right to never shop with you again. Sorry you don’t get it.
I’m sorry, but if you run an online business and your customers’ data gets compromised, IT’S YOUR FAULT. Period.
Somebody needs to tell Nashbar this ain’t Vietnam, there are laws!
Lawsin 44 states in fact.
I had the same experience this week, now I know why, I used that card at Nashbar.
As someone who does a lot of online shopping, is fairly tech literate, and has been hit by fraud in the past, I have some comments:
First of all, shame on Nashbar for waiting so long to tell customers; however…at the same time, I don’t think this is that far from the norm. Corporations usually do major investigations when there is a security breach before announcing it to the public. Also, just b/c you used Nashbar does not mean that your account was hacked which may be why you have not received a letter. Computer systems are complex and most likely they need to audit their whole system and figure out which specific customer databases were hacked into.
It is _NOT_ Nashbar’s responsibility to refund the money. They don’t have your money, some random hacker or group of hackers do so why should Nashbar take money out of their bank account to pay you? If you come to a party at my house, leave your wallet on a table, and someone steals it, do you expect me to give you any funds that were in there? I don’t think so, so use the same logic. You need to contact your bank and they will do their own investigation. Nashbar _should_ step up here and provide support to customers who were affected via documentation that can be provided to banking institutions.
Yup I got hit this winter with fraudulent charges. Nashbar was only one of the few online stores I used a specific combination of name, phone number and address with.
I notified them this winter that I believed their database had been compromised. They did respond, but never told me they had been hacked. Would have been nice to have known, but I figured it was them anyway.
Oh and by the way, Nashbar isn’t the only one to get hacked. It happens quite a bit, unfortunately. You can’t blame every compromise on them, though it’s convenient.
Also, I believe you are not liable for fraudulent charges. The bank should reimburse most them for you.
erikv and others:
No one, or few, at least, are angry at Nashbar for being hacked. It happens. The point is that they’ve been extremely secretive and unhelpful in the aftermath. They have handled the situation very badly. They freakin’ hung up the phone on Jonathan!
Duly noted and duly boycotted.
I do want to note that although I have done some purchases at the Performance shop in Beaverton, I have not had any funny charges on my card.
Perhaps the problem does not include the local Performance shops.
Thanks for the heads up!
Time to let Consumerist know. These guys have ways of getting a hold of higher-ups & embarrassing them…
This is a no brainer.
Dispute the charges with your credit card company. They will remove the charges as they want to retain your account.
Why do people always look for stupid alternatives?
Also why would anyone want to buy from Nashbar or Performance?
credit card info will continue to be stolen. you are typically not liable. keep an eye on your transactions to be sure, contact CC company with questions.
one solution: buy local, pay cash
another solution: some CC companies offer “disposable” cc numbers for online transactions, could go that route. probably not convenient for a frequent shopper?
Performance and Nashbar both suck.
So does over dramatizing a complete non-issue such as this. Slow news day?
Slob boy #31: “why would anyone want to buy from Nashbar or Performance?” That’s the most important question. Online or in store, those guys aren’t helping anything.
Well, maybe people should think twice before ordering krap from an online discount store and order components from your friendly local bike store. Keep local people in business instead of some online retailer.
My CC company called this week with a fraud alert – and I have used it at Nashbar. Looks like quite the pattern evolving here. No proof, however – the card # also could have been skimmed at a restaurant. Second time on this card, and it IS quite the pain.
I guess a LOT of local folks got hit by this one.
I’m not saying this applies to the Portland area by any means, but there are lots of people in North America who are 100+ miles from a bike shop. These people rely on online/catalog retailers like Nashbar & Performance and don’t really have any place else to go. This is really uncool for them.
Why would anyone shop at Performance or Nashbar?
I once got Ultegra STI shifters from Nashbar for less than River City could get them wholesale (I asked, because I’d rather buy from them). I’d rather shop locally, but unfortunately sometimes my bank account dictates I find the cheapest option.
That said, I’ll never buy from Nashbar/Performance again. But I also won’t hesitate to buy from an online bicycle retailer in the future if I find a screaming deal.
Thanks Dave #17 – slightly off the main topic, but such an important message!
Everything is better when done LOCALLY!!!!! Pleasant side-effects include less fraudulent credit card use!
And screw the credit card companies anyway!
Security on computers is quite simple for vendors who pay for quality tech labor. A security break like this is preventable. I worked for a co-operative bike shop who wanted to get rid of their stand alone VISA machine until we pre-tested an upgrade. We found out the POS software “upgrade” stored all 12 digits of the credit card number in a text file along with name etc. We called the vendor “profit plus” who did not seem concerned in 2004. I pointed to the breach, the law, and prevented the upgrade. Anyone who buys from a local shop using profit plus may be vulnerable. Online simply means a target is more delicious and widespread for criminal minds.
Finally, there is no such thing as true cost savings when a person in Portland buys bike parts from a Nasbar or Performance. I can understand that access to reproductive services and bike parts is highly limited in most rural sections of our vast nation of freedom. But great mother of all excuses, if you live in Portland, buy local, where you pay no taxes, no shipping, and you get great refunds, and most shops have 2-8 mechanics with 30-100 years of combined experience.
Wow, this sucks. I buy tons of parts from Nashbar. You cannot beat their prices anywhere. I hope they get things straight or they just lost another customer. I agree with Roma. I would love to buy locally too, but my bank account also prefers the prices at Nashbar.
Not to be a shill for Paypal here, but their browser plug-in allows you to generate a secure single-use card number.
Pretty hard to hack a card number that is for one time use only. You do not, under any circumstances, want to give out your debit card number over the internet.
I would agree that you should probably just buy local, since Universal Cycles will price match any way.
Second the recommendation for Universal Cycle, price-matching and real staff. Also, BikeTiresDirect is another local/online vendor that has good prices and is staffed by actual cyclists.
Performance/Nashbar are the Wal-Mart of cycling gear. They have predatory practices that target small local shops and their service is god-awful. I stay away.
Performance/Nashbar will never truly care about you or your problems. If you want honest, credible service, visit your local bike shop.
Also why would anyone want to buy from Nashbar or Performance?
Uh, maybe because they have good prices and a friendly staff. I have consistently been treated better at Performance than any other ‘local’ shop in town. I have never gotten any of the attitude that so many of the ‘local’ shops seem so good at distributing. Maybe some day I will have a job that pays me enough so that I can piss money down the drain at Bike Gallery. Until then, I will go with the lowest price. Sometimes it’s Performance, sometimes it Bike Tires Direct (who are great but have a limited selection), and sometimes it’s City Bikes.
Also- No one else in town carries the E3 saddle that I love.
In terms of security big companies do get hacked, but if you read up on identity theft you will see that you have the greatest chance of getting you CC number stolen at a local business where an employee writes it down or rubs your card number, and then steals the 3 digit code off the bank. Most CC numbers are stolen by waiters and waitresses because they often have access to your card when your not watching.
Nashbar called me directly to explain the breach. I was actually pleased by their friendliness and apology.
Of course, since it’s a credit card, my bank (US Bank) handled the fraud stuff quickly and easily.
Wow. I went through the same thing as many above and based on the direction things went (google profits, etc.), it sounds like Nashbar was probably the culprit.
Just a heads up, watch your email too. The same time my credit card was hacked, my email was. A simple password change can make a world of difference if you end up in this situation.
2 potential mistakes here:
1. If you buy with a debit card, you lose your money. Use a credit card always!
2. It seems that Nashbar uses a ‘Walmart’ model for their business products (find something nice, copy it and make it in a 3rd world country for pennies on the dollar). You get what you pay for, and sometimes more, apparently…
I just got my letter today, dated July 13. Logged into Citi to check my charges and they have issued me a new card. I check my statements religiously and haven’t had any fraud to date. Also I have my own domain so make up email addresses for every account I register, so I can tell who’s compromised or selling my info.
Incidentally, after I got a Nashbar order shipped to a client site I started getting Outside magazine there (I think they’re REI?). So they did sell my shipping address to a mailing list.
I second the LBS sentiment, but sometimes Nashbar closeouts just can’t be beat, and certain LBS’s in the Portland area have given me crap about negotiating with their insanely inflated retail prices. I buy from the ones who don’t put themselves on a pedestal.
Just got a letter from Nashbar yesterday also. They offered a nice 30% off code too. I will order from them again, but will be aware. I had 2 fraudulent charges on one of my credit cards recently, and it was after transferring money from one card to another. Someone tried to hack into both cards, but only successful on 1 card. I did not have to pay a dime. They (Mastercard) were very good about dealing with the whole thing. This is something to watch out for as well. It had to be someone at one of the card companies, who of course have access to all of our numbers. You really can’t prevent something like that from happening.