Important Statement From Midwest Supplies

[wsender]

I'd really love to hear a reply from MidWest about their practices and how they're going to prevent this from happening again. Having to deal with my bank and not having my card for over a week was a giant pain in the ass.

Until I hear back from MidWest I will never shop there again and recommend people from doing so as well.

 

[mrwizard0]

Who was impacted? I spent $30 on July 3 then realized 3 weeks later I had 2 charges on my credit card at the same Illinois furniture store, for the same amount. I haven't heard a thing from MW...

Edit: I've never been to Illinois... and don't buy furniture

I want to know this too, I luckily had my cc company refuse the random charges that I had but I still had to get a new cc while on vacation which was a pain in the rear

 

[disney7]

As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.

 

[wsender]

As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.

Sadly, I feel we won't get any. They've already issued us the blood money and posted this sad excuse for an apology on a long weekend to minimize visibility.

 

[thatjonguy]

I too wait a response, although I was not comprimised (to my knowledge) I want to see how the rest of this goes down.

If anyone doesn't want their credit, you can send it to me for disposal.

 

[bob1852]

I love the first world problems here: "blood money", "inconvenience while on vacation", etc.

There are two types of people who shop on-line: those who have had their info hacked and those who will.

If you're gonna shop online, make sure it is with a company with a good fraud policy.

If you don't want to risk it, just take some gold down to your LHBS, or better yet: grow your own barley and hops.

With that said, I hope midwest learned their lesson by ignoring those who posted here originally in a very respectful manner saying "hey Midwest, a bunch of customers have been hacked; might want to check it out." And responding with "thanks, but it isn't us."

 

[The_Professor]

I remeber that thread too and the big difference I saw between AHS and MW was that AHS basically was upfront and said "hey guys i think we got a problem here, we'll keep you updated with what we find" and MW said "nothing to do with us, stop saying that we have a CC fraud issue, nah nothing to see here, etc."


I think you are missing everyones point that their "best effort" was a very very very poor effort when compared to industry best practices.

Ah, I didn't really know the timeline or history to this Midwest issue. It did not effect me.

The AHS one did effect me and you are right, they were quick to notify people about it.

I guess I was really more responding to the dissing the small discount, which is similar in both cases. I guess not everything else is similar.

 

[BrewerE]

I'm anxiously awaiting my notification.

The thing I'm most pissed about is that they were on here claiming that 'no CC info was stored', when right on the payment page, there is a 'check here to store CC info' box and a tab to view stored cards. AND THE STUPID THING DOESN'T EVEN WORK.

I ordered from them this week when they had free shipping (even though my card got whacked in July) and specifically looked for, and UNCHECKED the box. I went to the account>saved cards tab, AND THERE WAS MY CC info....SAVED ANYWAY....sooooo pissed.

This time I used a CC that has never been used for anything online and other limited use, so if it gets whacked, it'll NO DOUBT be from Midwest.

If they don't get this order out in the 'promised' 2-3 days or screw it up (again) it'll be the last time I order from them.

 

[nickmv]

Screw that, chew their asses out for yet again storing CC #'s without customers' permission. That's absolutely ridiculous and goes beyond "beyond unacceptable".

 

[unkempt]

I havent ordered from them in a while but I had fraud on my CC in this time frame. A 25$ gift card should cover all my late payment fines on my electric, cable and phone, plus the fee i had to pay to get a new card in 2-3 days insted of 7-10 days...rigghhtttt

 

[WileECoyote]

1. Why did you take 1.5 months to notify ANY customers? I don't care what the circumstances are with your investigation, there is no excuse for 1.5 months delay for such an announcement. Honestly, that kind of delay for something that occurred way back in June should be downright illegal. I understand you need to consult with professionals on this matter, but you have a duty to notify customers in a timely manner. You put their CC's and accounts at risk with that move. Until you provide some sort of insight into WHEN you contacted CC companies, and what their actions were in response, I'm going to assume that doing such a thing had little to no effect, as customers continued to post that their CC's were stolen for quite a long time after the reported incident date (seen here).

2. Despite your efforts to mitigate the situation, your response didn't quite hit the mark. A $25 gift card? You SHOULD be offering fraud protection service (credit monitoring) to each and every one of these customers. That's the standard for compromised cards nowadays, at least from the past 2 experiences I've had. Somehow a $25 GC doesn't seem to instill any lost confidence from what happened.

Additionally, simply telling customers basically "trust us we fixed it" in no way will solve your problems. The lack of transparency about what's transpired, combined with dodgy responses and downright denials over the past months, shows that you're still hiding something (namely that you REALLY messed up and didn't follow compliance regulations, held onto customers' CC #'s without permission, and more), and will only hurt you further.

+1 This ^

MidWorst strikes again.

Cheers

 

[opus345]

I have had the Chase card number stolen and used a couple times. Chase is pretty good. Called and asked if I made these out of the norm charges, etc. This will happen when you shop online.

I have also had my data stolen when Monoprice was hacked. Monoprice's story sounds much like MW, except Monoprice did buy a year of Identity Theft Insurance for those who had ids stolen. Gotta say that MW response is not going to win them back any impacted customers. They could be thinking that there is no bad publicity. Hey, when the TJ Maxx breach happened and it was in the media, sales shot up for a period of time. TJ Maxx? Hey, I need new socks! But then TJ Maxx had to pay.

As you can see at the Privacy Rights Clearinghouse, MW is not alone (and those are only the ones reported/discovered).
http://www.privacyrights.org/data-breach/

Some other breach blogs:
http://www.usdatacorporation.com/info/2011/10/13-embarrassing-data-breaches/
http://www.scmagazine.com/the-data-breach-blog/section/1263/
http://www.databreaches.net/category/breach-reports/page/3/
http://www.esecurityplanet.com/network-security/midwest-supplies-suffers-data-breach.html

 

[ktblunden]

Midwest has handled this horribly from the start. For starters, they mishandled customers' information. Then they denied any culpability when a thread was posted in June, despite already knowing they had had a breech. Then they waited over a month to notify customers who may have been affected. Then they chose to make the announcement on a message board in the middle of a long weekend so it would get less attention. Finally, they are not offering identity theft insurance to those who had their information stolen due to MW's mishandling, but instead offer a GC, essentially requesting you trust them with your information again. I've only ordered a couple times from them, but I will definitely not be ordering from them ever again and will go out of my way to warn others that they will do the bare minimum to protect your info and then tell you to your face that they had nothing to do with it being stolen.

 

[butterpants]

Well it looks like I won't be ordering from Midwest anytime soon. Sucks for you.

YOUR FAILURE TO PREPARE HAS CAUSED AN EMERGENCY ON OUR PART.

no bueno

HAXXOR TEH GIBSON

 

[libeerty]

The only way to protect ourselves in the future from this type of crap is for people like me, who were not affected, to decide not to do business with Midwest. That way, the calculus changes the next time around and a vendor will decide that waiting nearly 3 months to talk about it is a BAD business decision.

I really think the lawyer who gave them the advice to keep quiet did a bad job as part of his/her job is to consider the client's financial interests as well. I really think they miscalculated the repercussions of this..

 

[BrewerinBR]

The only way to protect ourselves in the future from this type of crap is for people like me, who were not affected, to decide not to do business with Midwest. That way, the calculus changes the next time around and a vendor will decide that waiting nearly 3 months to talk about it is a BAD business decision.

I really think the lawyer who gave them the advice to keep quiet did a bad job as part of his/her job is to consider the client's financial interests as well. I really think they miscalculated the repercussions of this..

+1
As far I know I was not impacted but I have cancelled my account and will not do business with them again.

 

[unkempt]

+1
As far I know I was not impacted but I have cancelled my account and will not do business with them again.

How did you go about canceling your account im looking for the section and cant find it thanks

 

[FuzzeWuzze]

I love the first world problems here: "blood money", "inconvenience while on vacation", etc.

There are two types of people who shop on-line: those who have had their info hacked and those who will.

If you're gonna shop online, make sure it is with a company with a good fraud policy.

If you don't want to risk it, just take some gold down to your LHBS, or better yet: grow your own barley and hops.

With that said, I hope midwest learned their lesson by ignoring those who posted here originally in a very respectful manner saying "hey Midwest, a bunch of customers have been hacked; might want to check it out." And responding with "thanks, but it isn't us."

The thing is, there are actual laws for this stuff when it comes to credit card security. For example when the law states you cant have the information accessible to the internet, you can just turn off that port externally. Technically that's following the letter of the law, not the spirit of the law. Realistically any security expert would tell you a 12 year old with scripting tools could get in without issue.

Although to me if the data was available in plain text somewhere, im pretty sure it was just downright illegal, which is why they hired legal representation. I would expect some pretty harsh penalties for them from the government for being so willy nilly with peoples private data.

Yes you shop online you lose some security, but MANY MANY websites get hacked and customer data revealed. But because the data is encrypted none of the data is actually useable by the criminals unless they have dozens of years to decrypt the keys, by which point the cards arent even valid anymore anyways. The main difference here is i guess you could say the utter disregard for their customers private data.

 

[emjay]

The thing is, there are actual laws for this stuff when it comes to credit card security. For example when the law states you cant have the information accessible to the internet, you can just turn off that port externally. Technically that's following the letter of the law, not the spirit of the law. Realistically any security expert would tell you a 12 year old with scripting tools could get in without issue.

You sound like you know way less about computers than you'd like to sound. Nonsense.

I'd like just one person to conclusively demonstrate that they've actually broken any laws. Heck, the might not even be required to comply with PCI guideline depending on their annual sales.

 

[unkempt]

You sound like you know way less about computers than you'd like to sound. Nonsense.

I'd like just one person to conclusively demonstrate that they've actually broken any laws. Heck, the might not even be required to comply with PCI guideline depending on their annual sales.

http://www.pcicomplianceguide.org/pcifaqs.php

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

 

[emjay]

My bad, I misunderstood it reading the validation requirements. Smaller merchants don't have any except those required by their bank.

Still, I'd like to see proof of anything illegal.

 

[unkempt]

My bad, I misunderstood it reading the validation requirements. Smaller merchants don't have any except those required by their bank.

Still, I'd like to see proof of anything illegal.

Yea i wasnt saying anything illegal has happened (I dont know how they stored the data nor does any1 other than the hackers and the company), but they are all required to follow the guidelines no matter their size, thats all i was posting about

 

[nukebrewer]

http://www.pcicomplianceguide.org/pcifaqs.php

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

There's also this one:

Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.

For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

So it's not really a law, but it forces merchants to comply or risk costly and damaging actions to continue doing business with the CC service providers.

 

[russki]

Rest assured that if you were not contacted you were not among the customers impacted.

Very interesting... I placed an order through Midwest in June, and then had fraudulent charges on my CC (luckily Chase blocked them). Have not received anything from Midwest as stated.

Have these notifications been made over email or snail mail?

 

[Dirty25]

I had over $1000 of fraudulent charges made on my card after a Midwest order. Thankfully my bank is awesome and canceled the card after the $1000 charge there were 3 pending charges that didn't go through. All my money was returned given back to me from the bank...Midwest where is my notification and $25 gift card????

 

[NewWestBrewer]

Even though I was not impacted, fortunately my LHBS is a one minute walk from my house, a $25 GC is absolutely appalling. It should have been a min $100 with fraus protection for those who were affected. Today's world is about service. Too many choices to deal with poor service and judging by the responses on here today, Midwest is going to learn a valuable lesson.

 

[Randy_Bugger]

 

[ShootsNRoots]

Couple questions for Midwest Supplies:

1.) How are you determining who was affected by this?
2.) How are you notifying those affected?
3.) How are you giving the $25 credit?

( I believe I was affected but have not received any notification. )

 

[wsender]

Got this PM from Midwest. More kicking the can and overall lameness. I really wish Midwest would just discuss this out in the open. The overall lack of public disclosure is what most people are mad about.

We are sorry that our original post did not answer all of your questions, but please feel free to contact us, and we can answer any questions that you might have directly. We are closed today for the Labor Day holiday, but we will be in the office at 10 – 7 M-F and 10 – 5 Sat and 11 – 5 Sun. You can contact us by phone at 888-449-2739 or by email at [email protected]

I'd still like to see a public reaction on how they plan to change their actions in the future to prevent this from happening again.

 

[nickmv]

Got this PM from Midwest. More kicking the can and overall lameness. I really wish Midwest would just discuss this out in the open. The overall lack of public disclosure is what most people are mad about.



I'd still like to see a public reaction on how they plan to change their actions in the future to prevent this from happening again.

I got the same message. My response -- if they want to talk about details, they can say it to ALL OF US.