JP Morgan Chase, the largest bank of the US in terms of assets, acknowledged a massive data breach that affected 76 million households and 7 million small businesses. The bank disclosed the extent of the breach in a filing in early October with the Securities and Exchange Commission. The bank reported no unusual customer fraud had resulted from this breach. Hackers obtained personal information such as customer names, addresses, phone numbers and email addresses. However, JP Morgan Chase said that sensitive bank information–account numbers, passwords, social security numbers and birthdates–were not part of the breach. The breach occurred in June and July, and affected customers that used Chase web and mobile services.
In late September, sandwich shop chain Jimmy John’s confirmed that criminals hacked into their point of sale systems at 216 stores and accessed customer debit and credit card information. The breach took place between June 16 and September 5. Hackers obtained the account numbers on these cards, and may have access to the cardholder name, verification number and/or expiration date. The company, based in Champaign, Illinois, said the hackers were able to obtain the login credentials from the chain’s payment technology vendor and access its point of sale system. The breach did not affect any cards used in any online order or a transaction where the card number was entered manually.
A Forbes report throws interesting insights into the data breaches we have been witnessing, regularly.
A few weeks ago, my wife and I discovered that our credit card number was stolen. How? She got flowers.
Yes, flowers. A dozen red roses arrived for her one day. This was a true mystery. I don’t normally send flowers to my wife – a practice I’ve been recently reminded to change. Our kids are broke and would never send her flowers unless it was a very special occasion. She’s not, to my knowledge, having an affair (she works full time and who has the energy to do these things nowadays anyway?). Our only clue was the card that accompanied the flowers and which had just one word on it: “Happy!” We were baffled. Who would do such a thing? Well, soon enough the mystery was solved. And we certainly found out why the sender was so happy.
That’s because just a few days later our credit card was declined. When we called up MasterCard MA -0.16% we were told that their computers had picked up a few suspected fraudulent transactions on my wife’s card. More than just a few it turned out. In fact, there were about fifty purchases made with our card for things we never knew about or authorized. And yup – one of them was for a dozen red roses at a local florist. For almost two hours, my wife went through each and every transaction with the MasterCard agent (who was great, by the way). We are still receiving daily updates and information about the charges. We were without our cards for a few days until new ones were sent. And now the “your card was declined” emails from online vendors that we use are starting to trickle in.
All of this is an annoyance, but a not a financial calamity. MasterCard, like most credit card services, is pretty good with their consumer/customers. They’ve waived any charges, are investigating the crime (yeah, good luck with that) and are not holding us responsible. Looking back, we’re only guessing that the breach was related to Target TGT +0.16%, because there’s an awesome Target store near us that we frequently use. A few months ago Target admitted that they were hacked, losing millions of card numbers which likely included ours. At the time it was even bigger than the breaches suffered by eBay EBAY -0.53% and Michaels’ Stores earlier this year. But then just this past week Home Depot disclosed a potential loss of 56 million credit card numbers. 56 million!. Think about that – it’s more than the entire population of Spain and is, to date, the biggest credit card security breach ever. We shop at eBay, Michaels, Target andHome Depot HD 0%. Oh no.
But hey, big deal, right? If and when those numbers are sold off those unsuspecting victims – customers of these retailers, will probably suffer the same fate as us. A little inconvenience. Acceptance of liability by the credit card company. Maybe, just maybe, a dozen red roses with a card that says “Happy!” We’re not paying for it, so no big deal.
Well, it’s worse than you think. It is a big deal.
It’s a big deal for the fifty or so vendors on my credit card, many of them mostly small merchants like my local florist who shipped out products and may never get paid. As one report summarizes: “As soon as the fraud is identified, the credit card company seals the cardholder’s cash and if the merchant is unable to prove the authenticity, the cash is debited from their accounts. The chargeback money is the fee that the merchant has to pay for letting the thieves use the stolen cards. The higher the number of chargeback fee, the higher will be the chances of specific vendor of losing the ability to accept certain credit cards. These costs keep on adding up. LexisNexis published a survey according to which in 2013, an average merchant lost about .68 percent of annual income to fraud. A merchant has to pay around $3.08 on each dollar to replace the losses, penalties and chargeback fees.”
What’s the florist to do? Raise prices to cover this cost if it continues to occur? Be a pariah and never accept credit cards? Spend for even more insurance and then suffer premium increases every time she files a claim? It hits her profits and she’s defenseless. 56 million stolen credit cards from Home Depot alone means that there could be hundreds of millions of fraudulent transactions that would occur with as many small and medium sized companies who are already running on tight profit margins and not enough cash flow. In a slow economy. Big companies can absorb losses, establish reserves, raise prices. Small businesses, including mine, have less resources and flexibility. We are exposed – more exposed to this problem than anyone else.
And even if you don’t run a small business you’ll still be impacted. That’s because it’s only a matter of time before credit card companies like Visa V +0.41%and MasterCard will stop absorbing the lion’s share of these costs start coming down harder on their customers. Is it entirely their fault that the security “experts” at Target and Home Depot allowed themselves to be hacked, which is what is causing this mess? Shouldn’t these liabilities be shared more equitably? Financial service firms do have deep pockets, but their resources are not unlimited. If these breaches continue to occur, look for them to share the costs not only with those companies that allow themselves to be hacked, but by raising fees to their customers (yes, you and I) to cover these rising expenses. We all lose.
But the biggest loser of all? Yeah, that’s me. Just because some jerk got hold of our credit card and sent a dozen red roses to my wife she’s now reminded what a negligent husband I am because I rarely send her flowers. Thanks guys, really appreciate it.