customers were affected by credit
card fraud.
Seeking to explain their response to a credit card security breach, I got a call last week from the PR spokesperson for Performance Bicycle Inc.
Performance owns Nashbar, a large online retailer that recently acknowledged that credit card scammers hacked into their site, took over customer accounts and made fraudulent charges.
After BikePortland and one other local media outlet reported on the situation, the Performance spokesperson contacted us and said CEO Jim Thompson wanted to “shed some light” on what happened.
The main issue of concern was why it took them over four months to tell some customers about what had happened. Portlander Gabe Tiller said he discovered the fraudulent charges on his own just a few weeks ago.
When asked about the lag time, Thompson blamed his third party online security provider. In a phone interview, Thompson said he first heard about possible customer security issues from his CFO in February of this year. “There was an inflow of calls,” he said, “and we began to get concerned. We said, there’s an issue.”
At that point, Thompson said they ran the Nashbar site on a third party platform. Upon hearing about the potential problem, he claims he contacted the company immediately and told them to go through their forensics and diagnostics process. On February 15th, Thompson said the company reported no security issues. But, Thompson noted, “We were still getting calls and we were very concerned.”
In the meantime, Performance was moving the Nashbar site to a new platform (a move unrelated to the security breach) to improve capacity. On March 10th, still worried that a security breach was behind an influx of customer calls, Thompson says they hired an outside firm to begin another round of diagnostics.
“We said to them,” remembered Thompson, “something’s just not right.” However, according to Thompson, the security firm said they couldn’t detect a breach. This report just didn’t add up to Thompson. He said “the numbers were adding up and we were still getting calls.” Determined to follow their hunch, Thompson said they hired another firm and talked with their payment processing service “to really dig into what happened”.
Finally, on May 18th, Thompson said they got a report. Turns out his hunch was right. The Nashbar site, the security firm found, was first hacked on December 7th, 2008.
Thompson expressed frustration in the several months of lag time it took from when they suspected a security breach to when it was confirmed. “It took them [the firm hired to find the breach] longer than we had hoped for, but they had to go through every single transaction.”
What they found was that the credit card information of 150,000 customers had been compromised.
Once they realized this (in mid-May), Thompson said, “We immediately hired a lawyer.”
With the report of 150,000 instances of credit card fraud in their hands, Performance still did not make any public statement about the situation or make any contact to the affected customers. Thompson said their lawyers were busy wading through state regulations and laws about credit card fraud. According to Thompson, each state has different laws for how and when customers of fraud can be contacted.
Furthering the delay in contacting customers was what Thompson claimed was a sense of wanting to go above and beyond what was legally required. Instead of an impersonal blast of form letters or a widely distributed press release about the situation, Thompson said he decided to “contact all of our guests [his word for customers] individually.”
Performance began outbound calls to customers in June, before they did any mailers. He also said some customers didn’t hear from them because they decided to not leave any phone messages. The first public statement made by the company was in a newspaper story published on July 1.
Since then, Thompson said they’ve made tens of thousands of phone calls.
Looking back at the situation, Thompson said he has no regrets on how they handled it.
“As soon as we got the report, I felt we used great urgency and sensitivity to the situation. If anything, it was a point of frustration that we contacted our third party provider in February and it took until mid-May to get validations and details about what had happened.”
If they knew about the fraud in May, why didn’t they send out a notice to customers immediately? “That’s a fair question,” Thompson repolied, “but i felt it was so important to touch the guests individually.”
Thompson said that, in the case of Gabe Tiller, they contacted him via telephone in late June but didn’t leave a message. “I have called him personally since,” Thompson said.
Since the security breach, Peformance has beefed up anti-fraud measures. “Both websites [Performance and Nashbar] are on new platforms,” Thompson said, “I’m so darn frustrated by this whole thing, I don’t want to go through this again.”
just one more reason to go to your local bike shop instead of the internet.
Would be very curious to hear how they were hacked, exactly. Must have either been something pretty clever, or they were hiring some pretty boneheaded security firms. Maybe both.
Surprisingly it happens a lot. A company doesn’t know anything about internet security and they put their trust in a “third party provider.” What they realize later is that the provider’s idea of a web server is an outdated machine, sitting out on the web, unencrypted CC/customer database included. In the end it becomes a blame game between the two parties.
This may or may not be the case with Nashbar, but I’ve seen it take place with other online retailers.
Maybe it WAS the security firm?
Why not leave messages? I routinely screen my calls at home, because I am sick of wasting my time on telemarketers.
If I do happen to answer my phone, I wait 5 seconds. If I don’t hear anything, or hear the unmistakeable sound of a call center, I hang up.
I think Performance screwed up by wanting to make individual phone calls to all 150,000 people affected, and not leave messages. A letter sent in May, followed up by the personal phone call, would have been a better business plan.
#1 If your local bike shop uses computers (likely) and stores sales records (also likely), you’re not really much, if any, safer… unless you get rid of all your cards and go cash-only.
#2 Cleverness isn’t necessarily required. As #3 pointed out, security on the Internet (and at your local retail outlet) is often a joke, more Security Theater than actual security.
That’s a completely bogus response. It was more important to personally contact each “guest” than to just let them know “hey, better check your transaction record?” Sounds to me like they chose PR over basic concern for their customers’ security.
FWIW, my account was compromised, and I never got a call (and I do check my Caller ID). I *did* get an “impersonal form letter,” but only long after my CC company had canceled the transactions, and after Nashbar had been outed on various forums (in fact, only last week). I don’t imagine I would have heard anything from the company if word hadn’t gotten out about the breach.
I understand that these things happen, but I’m bothered by their response — spin control taking priority over swift notification. And the 30% discount they offered me in the letter (at the same time they announced a 20% discount for everyone!) doesn’t exactly entice me to send them my *new* credit card number.
I would much rather receive an “impersonal” email in a timely manner than a phone call weeks/months after the fact.
Jonathan, didn’t they initially hang up on you after you told them that you were a reporter?
Stunning.
But not entirely surprsing.
Anytime your business gets that big, you HAVE to hire other firms to handle certain aspects. Which aspects do you entrust to an outside party?
The mistake was in hiring someone else to handle their customers’ online security.
The bigger mistake was in trusting that outside firm for as long as they did. The FIRST time they got a non-response to their concerns, they should’ve been on the phone with their legal department. Waiting five months was a mistake.
Perhaps another bugaboo is related to allowing your company to grow so large as to become this uinwieldy, but that’s another discussion for another time…
My experience was somewhat different. I got a phone call from Nashbar (they even tracked me down at work), and also got a follow-up letter that seemed pretty detailed. I believe it was around 4-pages long. My perception was that the letter was reasonably through regarding recommended precautions to take. Scared the heck out of me, but I did not incur any fraudulent charges. I guess I’m one of the ‘lucky’ ones this time.
I have been having strange small charges on my credit card. So I ordered a bill from Dec to see if I had used Nashbar then. My guess is that I did. I had to have my credit card company delete my card and send me a new one. Then I had to fight to get the charges taken off. Now I got a collection agency now trying to collect more money. I have never received any contact from Nashbar or Performance. If they think what they did was correct than I guess I won’t be doing any business with them in the future.
It amazes me that they weren’t more proactive in leaving messages or sending emails. The fraud didn’t happen to me (and many other people online) until mid-June so I could have cancelled my credit card prior to it happening if they had let me/us know. There was no need for a personal phone call (which I have yet to receive). I screen my calls (as do many people) so if there is an unknown entity on caller ID I never answer. It makes no sense to not leave messages or send emails/letters. Really, I just don’t get it….
beth h- at one point should a company decide to ‘stop’ growing? What day do you wake up and say ‘Ya know, oh gee, I think we’re too big! Better let some people go!’. I know Portland loves to hate any business that’s ‘big’, but give me a break.
And how is a small company any better at handling its own security? If your personal home computer got hacked would you be able to figure out the ip address of the person that hacked it? No way. You’d have to hire someone that specializes in that.
While this is an unfortunate situation, it hardly seems like Performance was negligent. They clearly are not trying to pretend like it didn’t happen, and with the myriad of lawyers waiting to sic anyone and everyone, it is sometimes in a company’s best interest to wait to get all the facts, which seems pretty close to the what happened here. But if everyone feels better hating the ‘big, bad, evil, mean corporation’ then have at it.
Once they realized this (in mid-May), Thompson said, “We immediately hired a lawyer.”
Wow. Nice to see spring into action so fast once the data theft was confirmed, if only it wasn’t just to cover their own asses.
“Looking back at the situation, Thompson said he has no regrets on how they handled it.
I’d have to say he’s probably the only one who things this was handled appropriately.
This happens every day to companies large and small. It’s naive to think that an LBS is not subject to security breaches. Turning this into any kind of “large vs. small company” argument is silly.
I just got a letter from Nashbar a few days ago. My credit card company canceled my card a few weeks before that and sent me a new card. I don’t know if that was in response to Nashbar or not (they didn’t specify).
Regarding Nashbar’s slow response, I too am puzzled by the delay. However I find it quite plausible that navigating the labyrinth state and federal regulations is a very time consuming process that requires substantial and expensive legal counsel.
@ # 13:
Constant growth is not always best for a business, nor for a community.
Fish grow to the size of their tank. What about growth that is taken at a much slower, more deliberate pace? What about small businesses, which remain the backbone of this economy for their ability to hire and serve local people and to keep more revenue in the community?
I’m not totally anti-Corporate, but I think that Corporate control of our economy has gotten out of hand. I am all in favor of returning to smaller economies of scale whenever and wherever possible, because I believe that this is a more sustainable approach. Bikes are perfect vehicle for helping that vision come to reality because they encourage a slower, more local lifestyle.
Luckily I did not make some purchases I considered from Nashbar last fall and I have not been caught up in this mess.
Having said that, I guess that I would forgive that they had a third party security company and that it took so long to get yet another security company to track down the breech BUT I would agree that the urgency was critical and a letter should have been sent immediately and then if they wanted to spend the time calling individual customers that was the time to do the follow up calls.
So if other retailers are listening:
1. Notify immediately
2. Come out with a public statement and an invitation for customers to contact them.
3. Then do the follow up nice calls.
4. Offer some sort of “our security was breeched” discount to encourage all customers to return.
Beth H,
Performance’s stated goal is to put all independant, locally owned bike shops out of business. Performance/Nashbar is the Borg of the bicycle industry.
@ # 16:
That works great, until some party-pooper comes along and provides a better product or service than everyone else.
“Called and didn’t leave a message”? Yeah, the dog ate my homework.
Sadly, I bought something from BN. My bank sent me an email (and a letter) to inform me that there had been some “unusual activity” on my credit card. I had been signed up for some sort of grant program, as well as buying some recipe book from some publisher. Anyway, I canceled the card, got a new one, returned the various items that ended up in my mailbox, and will NEVER buy anything from BN again.
FWIW, The aforementioned publisher told me that the book had been ordered via a hotmail email account (which I don’t have).
Did your bank or credit union issue you one or more new credit/debit cards this year? If so, it was due to the security breach with Heartland Payment Systems. It seems that the Performance/Bike Nashbar breaches may be related.
http://www.bikeforums.net/archive/index.php/t-533238.html
(My credit union has issued me 2 new debit cards in the last 6 months as a result of the Heartland breach.)
I just wanted to add one more thing to my comment above…when we found the fraud on our credit card it was late June and we contacted Nashbar customer service 2 different times. Both times the reps had no idea that there was any problem (and one of the two was shocked and upset by the information). They both said they would pass on the info to their supervisors. It seems that if the company had discovered something in May they would have at the very least trained their own employees to handle incoming complaints. Again, this whole timeline doesn’t make any sense to me…
A couple of years ago I tried to access my cc account online and couldn’t get in. I called my cc company and was told that there had been a security breach (at a company they refused to name), my info was compromised, and they had canceled my card and were sending me a new one. A few days later I got a letter to that effect, followed shortly by the new card. I never had any fraudulent charges on my card, and I never found out whose security was breached. (I haven’t used Performance/Nashbar and it was before then anyway.)
Is there some law/rule about identifying the victimized company? They quite firmly refused to tell me, but implied it was some online company I had used in the past year. Overall I was quite happy with how they handled it; I received the letter pretty promptly after the card was canceled, and since I don’t use it that often I probably wouldn’t have noticed if I hadn’t just happened to log in that day. Is this behavior particular to the cc company? Other people seem to have had a less stress-free experience.
The lynching attitude you see among some Nashbar customers is precisely why the CC companies generally do not release the name of the company that had the breach.
Comments like “will NEVER buy anything from BN again” expose a fundamental misunderstanding on the part of customers.
No company is immune to security breaches. Not Nashbar (obviously), not your bank, not even the pentagon or NSA. I’ve had several credit card accounts closed and reissued this year due to security breaches at companies. The only company I *know* is Nashbar, because they sent me a letter. The others I have no idea.
IMO, the best defense is to never use a visa debit card for *anything*, online or local (security breaches happen at the LBS shop too). Your credit card protects you from fraudulent charges, but the visa debit card takes real money from your checking account, and that has real repercussions.
This is what you get when you farm stuff out to 3rd-party. How about running your own systems? Then maybe you won’t be so frustrated when you want something to happen.
I just got the letter yesterday.AmExpress contacted me in march or april to say they thought someone had my card number. They helped me to get a new number. I’ve was racking my brain tring to figure out how it got out, now I know but Nashbar should have come out soon with the info. I doubt i’ll use them again and I have been a customer for years.
I didn’t even read this article, but if I did, I would probably have the same conclusion, don’t shop with Nashbar…
James (#18): “Performance’s stated goal is to put all independant (sic), locally owned bike shops out of business.”
Please show me where that goal is ‘stated’. If you can show me a written statement from that company with that goal I will never shop there again. In the meantime I plan to use my 30% off discount on my newly-reissued credit card to buy some parts that I simply can’t afford at my LBS. $79 for a new chain? C’mon!!
Nubo (#26): “How about running your own systems?”
Do you do all the maintenance on your own car? Do you do your own plumbing and electrical work (assuming you have those licenses)?
Outsourcing security to firms that specialize in security makes plenty of sense. As Phre3dly wisely points out, though, security systems aren’t infallible, regardless of whether the retailer is online or your LBS (I pay mine in cash, when I can afford to shop there).
For a short time I managed web services projects and dealt with a ‘security breach’ on a large and very famous web site. The response described here is pretty much how it goes, and yes, lawyers were consulted as soon as possible. The ignorance on the part of the retailer’s executives was amazing to me, at least pertaining to the technology (which is why they hired us), but then again I’m guessing I couldn’t run a multi-billion retail outfit (or I wouldn’t be a lowly computer consultant ;). It turns out it wasn’t a “security breach” after all but a bug in Microsoft’s Sharepoint server.
I received the Nashbar letter today, nearly two months after 2 of my credit cards were used for fraudulent purposes and had to be replaced. Now I know that the origin of the fraud lies at Nashbar’s door. 30% off coupon for all the worries and hassle? No thank you Jim Thompson ! I no longer consider Nashbar nor Performance a good place to shop.
btw- I received some De Marchi Contour Bibs from Nashbar yesterday with sewing defects- Quality control is also not very evident at this once proud mail order firm.
I am one of the 150,000. I just discovered four small suspect charges that went unnoticed until now, from February and March. That’s my fault.
I know that transaction networks are delicate and we can expect a breach now and again, and I appreciate the notice from Jim Thomson.
But as stated by others ad nauseum, it was too little too late. I received no phone calls. I did receive a letter yesterday dated July 24. JULY 24. Three pages long, with the 30% discount (for purchases made by August 28!) and all. Full of CYA legalese.
I have been too busy looking for work to follow the various forums (until today), many of which apparently knew of the breach at least a month ago.
It’s not the illness, but the cure that was mishandled. That’s what has me seeing red. I am LIVID. I will tell everyone, from the highest mountain (and I know of some high mountains), NOT to purchase from NASHBAR or PERFORMANCE. Either greed or stupidity was at work here, and either way it’s a violation of the highest order. And yes, I also patronize my LBS so please spare me the lecture. It’s just nice to have something actually in stock once in a while. Shame.
Now it’s almost time for my medication, so if you’ll excuse me.
just last week found bogus charges. had to cancel my card and get a new one.
it’s the end of july. how many months?
gee thompson, you haven’t contacted me. a public notice would have put me on alert but you went with the personal? nice.
one can understand some things but to keep me in the dark til i stumble on something wrong on my own then have to do internet research to find out the story is not one of them.
because of that incredibly stupid decision i’ll not be shopping at either place again, and i have spent a lot of money at both.
After several purchases in December 2008, had several fraudulent charges beginning in March for over $3,000. It was a mess to clean up and took several months to finally resolve.
I understand that CC fraud happens, but the way that Nashbar handled this situation is a public relations nightmare. They are in the damage control mode and did very little to restore buyers confidence in handling this so poorly. This letter is too little, too late and I’ve lost respect for their choice in how they’ve responded.
Each week I receive at least 2-3 emails advertising their special sales. It would have been just as easy to send out a message to indicate a possible breach and to watch your CC for fraudulant charges. I’m not happy at all.
Whatever issue they’ve had last December was not dealt with in May. I made a purchase there in late June (09). Starting two weeks after that point, I started to see bogus charges to my account. A little research into the companies charging me, led me to believe they were fraudulent and that my CC# was leaked from Nashbar. While I can understand that these happen, it is in-excusable to deny it. And when I contacted Nashabr- the initial response I got was just a reference to the issue in December, and no admission of an issue in June/July. When pushed I got an apology. But is appears this issue is not in the past.
Discovered bad transactions in April. Took us until mid-July to get every thing cleared up. Cancelling cards, changing accounts, letters, phone calls. The day AFTER we finally got it all cleared I get “the” letter form Nashbar. 3 month lag and you want to give me 30%…keep it, you lost a regular customer because we didn’t come first!
After several purchases in December 2008, had several fraudulent charges beginning in March for over $3,000. It was a mess to clean up and took several months to finally resolve.
I understand that CC fraud happens, but the way that Nashbar handled this situation is a public relations nightmare. They are in the damage control mode and did very little to restore buyers confidence in handling this so poorly. This letter is too little, too late and I’ve lost respect for their choice in how they’ve responded.