Customers Question Breach Alert Etiquette at Blowout CardsWhy Hasn't Card-Trading Site Alerted Customers to Fraud via Social Media?
Update — April 25, 2017: After this piece first appeared April 24, Blowout Cards posted a more detailed security alert to its website, which it also emailed to customers who had been potentially affected by the breach (see Blowout Cards Issues Card-Skimming Breach Alert).
Free advice for breached businesses: Once you admit that you've suffered a data breach or that you're investigating whether you were breached, disseminate that message far and wide, including via all social media. That way, no one can accuse you of trying to cover it up.
"We will be contacting all potentially affected users via email."
Consider that many police departments now issue statements or updates on investigations not only via their websites, but also Facebook and Twitter. Simply put, those are great ways to get the message out.
And at a minimum, that's what all other organizations should be doing as well, especially when it comes to warning customers or users that they may have been the victim of a data breach or other security-related incident.
Likewise, here's what not to do: Issue a breach notification only via your own forums, while failing to get the word out via social media or email to anyone who may not have logged onto your site in the past day, week, month or year.
That is what seems to be happening with Blowout Cards, a site devoted to the buying, selling and trading of sports cards and trading cards that's owned by Frontline Collectibles Inc. in Sterling, Virginia.
Breach Alert Timeline
Reports of a potential breach at the site - dating from at least January - first surfaced on April 19 via the Blowout Cards forum post with the subject line of "credit card problems." As of April 24, however, the company had yet to issue any alerts via social media or to directly notify potential victims.
"Not sure where to put this, but I ordered something from Blowout in January. Used a credit card that I rarely use - only other place I use is NYTimes subscription," wrote "ForceChange77" in an April 19 post. "Somebody got the card number and started charging all kinds of fraudulent charges. Has there been a problem recently?"
On April 20, a site administrator responded that the organization had been alerted to a security breach - it didn't say by who - and that it was investigating.
On April 21, an "Important Message - Attention Customers" alert was posted to the front page of Blowout Cards site, leading to a security notice posted in the thread started by ForceChange77.
"Recently we were alerted to a potential security breach on our website. After researching this issue, our internet security team detected and patched an exploit that allowed unauthorized access to customers' card information when checking out on Blowoutcards.com," that security alert reads.
"We are currently in contact with several leading third-party security firms to determine the cause of the breach and assure you that we are working with leading experts to harden our security to prevent any future incidents. Although the immediate issue has been resolved, our investigation into this matter is ongoing and we will communicate additional information to you as it becomes available to us," it adds.
Multiple other customers also reported via the forum post that they too seemed to have experienced card fraud tied to the site.
One customer emailed me directly, noting that his debit card was also hit with suspicious charges. He believes the fraud traces back to the Blowout Cards site.
"My debit card was hit with charges," he says. "I quickly cancelled the card and waiting on reimbursement from my bank, which I am sure won't be a problem."
Under U.S. consumer protection law, credit card users are protected if their card gets used fraudulently, provided they notify the card issuer in a timely manner. Debit card users, however, have no such protections, which is why many identity theft experts recommend never using debit cards for online purchases. That said, many banks will refund charges tied to debit card fraud.
Fraud-loss coverage aside, the customer also questions why Blowout Cards had only posted a warning to its forums - even though fraud appears to be ongoing - rather than getting the message out via social media channels.
"Blowoutcards/Frontline collectibles seems like they are trying to hide the information," he says, noting that he rarely looks at the forum articles, because they typically involved just advertisements for sales. "They have the ability to post a message on Twitter/Facebook account which would notify 10-20X as many customers that have been affected. I am sure less than 25 percent of customers affected don't use the company's web forum which is the only place they have the small notice/warning."
Blowout Cards Promises Direct Notifications
I asked Blowout Cards when its breach apparently began, how many users were affected, whether it plans to offer identity theft monitoring services to victims and why it hadn't issued any alerts via social media or other channels.
Thomas Fish, president of Blowout Cards, responded by saying that more details will be forthcoming by April 25.
"At this time, any statement(s) have been posted on the forum where we first became aware of a potential issue. We will be making a more detailed announcement within the next 24 hours," he told me on April 24. "We will be contacting all potentially affected users via email at that time as well."