Gander Mountain Missing Computer Contains 112,000 Credit Card Numbers
Technorati Tag: Security Breach
Date Reported:
9/10/07
Organization:
Gander Mountain
Contractor/Consultant:
None
Victims:
Customers of the Greensburg, Pennsylvania Gander Mountain store
Number Affected:
112,000
Types of Data:
112,000 Credit card numbers and expiration dates.
10,000 Transaction records containing name, credit card number and expiration date
Breach Description:
"Computer equipment" has gone missing from the Greensburg, Pennsylvania Gander Mountain store that "may have" included customer transaction information. The computer is assumed stolen.
Reference URL:
http://www.gandermountain.com/news/newsitem.asp_Q_id_E_12939
http://www.thepittsburghchannel.com/news/14092404/detail.html
Report Credit:
Gander Mountain
Response:
From the online references above, including Gander Mountain's official press release:
"The stored transaction information may have included:
- Approximately 112,000 credit card numbers with expiration date but without any other associated information.
- Approximately 10,000 transaction records may have included the credit card number, expiration date and customer name.
- For the approximately 5,100 credit card customers who returned merchandise or did a lay-away purchase at the store during this period, the information also may have included an address.
- For the approximately 650 customers who purchased by check and returned merchandise without a receipt or put merchandise on layaway by check payment, the information may have contained a name, address, driver’s license number and date of birth. "
[Comfyllama] I, for one appreciate Gander Mountain's candidness.
"The company has sent letters to the approximately 5,750 customers for whom address information is available informing them of this incident."
[Comfyllama] This is somewhat rare. Gander Mountain is not sure who all of the affected people are.
“Our primary goal is to prevent any harm to our customers affected by this situation,” said Mark Baker, Gander Mountain President and CEO. “We have no evidence that any of this information has been misused, or that the missing equipment was stolen with intent to steal data. We take this matter very seriously and regret any inconvenience to our customers who shopped at our Greensburg, PA store.”
[Comfyllama] An official statement from the company CEO! This is precisely the right person to be addressing the public, even if there is some standard breach lingo. This is a CEO that understands that the buck stops with him. I respect CEOs like this.
"Beginning September 11th, the company has established a toll-free helpline for affected customers at , during the hours of 8:00 am to 5:00 pm CT Monday through Friday. This number will be effective through September 28, 2007. Customers may contact the company at Gander Mountain, 180 E. Fifth St. Suite 1300, St. Paul, MN 55101, Attn: Customer Service, or by email at . Additional information is available on the company’s website at www.gandermountain.com (click on “Important Customer Alert”)."
Commentary:
This is the second breach on the blog from the state of Pennsylvania today.
Overall, I am impressed with the response from Gander Mountain. However, I still have a couple of questions. One, why did Gander Mountain store this information at the store? I don't know what purpose the information serves after the transaction has been completed. It doesn't make sense to store the credit card information. Two, what steps will Gander Mountain take to reduce the risk to their customers in the future?
Past Breaches:
None
Date Reported:
9/10/07
Organization:
Gander Mountain
Contractor/Consultant:
None
Victims:
Customers of the Greensburg, Pennsylvania Gander Mountain store
Number Affected:
112,000
Types of Data:
112,000 Credit card numbers and expiration dates.
10,000 Transaction records containing name, credit card number and expiration date
Breach Description:
"Computer equipment" has gone missing from the Greensburg, Pennsylvania Gander Mountain store that "may have" included customer transaction information. The computer is assumed stolen.
Reference URL:
http://www.gandermountain.com/news/newsitem.asp_Q_id_E_12939
http://www.thepittsburghchannel.com/news/14092404/detail.html
Report Credit:
Gander Mountain
Response:
From the online references above, including Gander Mountain's official press release:
"The stored transaction information may have included:
- Approximately 112,000 credit card numbers with expiration date but without any other associated information.
- Approximately 10,000 transaction records may have included the credit card number, expiration date and customer name.
- For the approximately 5,100 credit card customers who returned merchandise or did a lay-away purchase at the store during this period, the information also may have included an address.
- For the approximately 650 customers who purchased by check and returned merchandise without a receipt or put merchandise on layaway by check payment, the information may have contained a name, address, driver’s license number and date of birth. "
[Comfyllama] I, for one appreciate Gander Mountain's candidness.
"The company has sent letters to the approximately 5,750 customers for whom address information is available informing them of this incident."
[Comfyllama] This is somewhat rare. Gander Mountain is not sure who all of the affected people are.
“Our primary goal is to prevent any harm to our customers affected by this situation,” said Mark Baker, Gander Mountain President and CEO. “We have no evidence that any of this information has been misused, or that the missing equipment was stolen with intent to steal data. We take this matter very seriously and regret any inconvenience to our customers who shopped at our Greensburg, PA store.”
[Comfyllama] An official statement from the company CEO! This is precisely the right person to be addressing the public, even if there is some standard breach lingo. This is a CEO that understands that the buck stops with him. I respect CEOs like this.
"Beginning September 11th, the company has established a toll-free helpline for affected customers at , during the hours of 8:00 am to 5:00 pm CT Monday through Friday. This number will be effective through September 28, 2007. Customers may contact the company at Gander Mountain, 180 E. Fifth St. Suite 1300, St. Paul, MN 55101, Attn: Customer Service, or by email at . Additional information is available on the company’s website at www.gandermountain.com (click on “Important Customer Alert”)."
Commentary:
This is the second breach on the blog from the state of Pennsylvania today.
Overall, I am impressed with the response from Gander Mountain. However, I still have a couple of questions. One, why did Gander Mountain store this information at the store? I don't know what purpose the information serves after the transaction has been completed. It doesn't make sense to store the credit card information. Two, what steps will Gander Mountain take to reduce the risk to their customers in the future?
Past Breaches:
None
Posts Atom 1.0
Comments