Largest credit card scam uncovers retailer culpability

As reported around the world and here at CreditCards.com, the latest -- and biggest -- identity theft scam in U.S. history was disclosed last week, revealing that more than 40 million credit and debit card numbers were stolen from nine U.S. retailers. What is frightening is the fact that only four of the nine affected retailers notified customers of the security breach and the others, well, either they won't tell or they claim that the breach was never confirmed.

I read with interest about the credit card data breach at TJX Companies, which includes TJMaxx and Marshall stores, especially since I frequent TJMaxx more than I would like to admit. As a result of the media coverage, I made a concerted effort to check my financial records often for any suspect activity. Luckily, I have been unscathed.

But when I heard that credit card data from Barnes & Noble, OfficeMax, Boston Market, SportsAuthority and Forever 21 was also stolen, I was confused. Why didn't I hear about those stores as well? As a frequent customer of several of those retail outlets as well, the odds of my credit card number being one of the 40 million that were stolen increased dramatically. 

According to a recent article in The Wall Street Journal, "Most states mandate that companies tell their customers when their credit card data is stolen from stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft." In fact, as the frequency of identity theft attacks has increased, more than 40 states now have laws that require companies to warn consumers as soon as possible when personal information is stolen. So, did these companies break those laws? 

Boston Market, Forever 21, OfficeMax and Sports Authority officials are still digging their heels in, saying that they either had no knowledge of a breach or that there was no breach at all (despite federal authorities having alleged evidence to the contrary) or just refusing to answer the phone.

"Companies typically have made disclosures by letter, whenever possible, and through public announcements on their Web sites and in press releases to the media" whenever a data security breach affecting personal information occurs, reports the Journal. As a consumer, I don't blame these companies for security lapses, but I do blame them for not notifying affected customers.

And just for the record, the other retailers who did do the right thing (beside TJX) are: BJ's Wholesale Club, DSW shoes and Dave & Buster's.

See related: Feds charge 11 in largest identity theft case in U.S. history, "Wardriving" in the era of overpriced gasoline