customers were affected by credit
card fraud.
Seeking to explain their response to a credit card security breach, I got a call last week from the PR spokesperson for Performance Bicycle Inc.
Performance owns Nashbar, a large online retailer that recently acknowledged that credit card scammers hacked into their site, took over customer accounts and made fraudulent charges.
After BikePortland and one other local media outlet reported on the situation, the Performance spokesperson contacted us and said CEO Jim Thompson wanted to “shed some light” on what happened.
The main issue of concern was why it took them over four months to tell some customers about what had happened. Portlander Gabe Tiller said he discovered the fraudulent charges on his own just a few weeks ago.
When asked about the lag time, Thompson blamed his third party online security provider. In a phone interview, Thompson said he first heard about possible customer security issues from his CFO in February of this year. “There was an inflow of calls,” he said, “and we began to get concerned. We said, there’s an issue.”
At that point, Thompson said they ran the Nashbar site on a third party platform. Upon hearing about the potential problem, he claims he contacted the company immediately and told them to go through their forensics and diagnostics process. On February 15th, Thompson said the company reported no security issues. But, Thompson noted, “We were still getting calls and we were very concerned.”
In the meantime, Performance was moving the Nashbar site to a new platform (a move unrelated to the security breach) to improve capacity. On March 10th, still worried that a security breach was behind an influx of customer calls, Thompson says they hired an outside firm to begin another round of diagnostics.
“We said to them,” remembered Thompson, “something’s just not right.” However, according to Thompson, the security firm said they couldn’t detect a breach. This report just didn’t add up to Thompson. He said “the numbers were adding up and we were still getting calls.” Determined to follow their hunch, Thompson said they hired another firm and talked with their payment processing service “to really dig into what happened”.
Finally, on May 18th, Thompson said they got a report. Turns out his hunch was right. The Nashbar site, the security firm found, was first hacked on December 7th, 2008.
Thompson expressed frustration in the several months of lag time it took from when they suspected a security breach to when it was confirmed. “It took them [the firm hired to find the breach] longer than we had hoped for, but they had to go through every single transaction.”
What they found was that the credit card information of 150,000 customers had been compromised.
Once they realized this (in mid-May), Thompson said, “We immediately hired a lawyer.”
With the report of 150,000 instances of credit card fraud in their hands, Performance still did not make any public statement about the situation or make any contact to the affected customers. Thompson said their lawyers were busy wading through state regulations and laws about credit card fraud. According to Thompson, each state has different laws for how and when customers of fraud can be contacted.
Furthering the delay in contacting customers was what Thompson claimed was a sense of wanting to go above and beyond what was legally required. Instead of an impersonal blast of form letters or a widely distributed press release about the situation, Thompson said he decided to “contact all of our guests [his word for customers] individually.”
Performance began outbound calls to customers in June, before they did any mailers. He also said some customers didn’t hear from them because they decided to not leave any phone messages. The first public statement made by the company was in a newspaper story published on July 1.
Since then, Thompson said they’ve made tens of thousands of phone calls.
Looking back at the situation, Thompson said he has no regrets on how they handled it.
“As soon as we got the report, I felt we used great urgency and sensitivity to the situation. If anything, it was a point of frustration that we contacted our third party provider in February and it took until mid-May to get validations and details about what had happened.”
If they knew about the fraud in May, why didn’t they send out a notice to customers immediately? “That’s a fair question,” Thompson repolied, “but i felt it was so important to touch the guests individually.”
Thompson said that, in the case of Gabe Tiller, they contacted him via telephone in late June but didn’t leave a message. “I have called him personally since,” Thompson said.
Since the security breach, Peformance has beefed up anti-fraud measures. “Both websites [Performance and Nashbar] are on new platforms,” Thompson said, “I’m so darn frustrated by this whole thing, I don’t want to go through this again.”