In the light of the massive security breach at Target, where some 40 million credit cards were compromised, I spoke to Day’s Jewelers president Jeff Corey, whose company’s computer system was hacked two years ago, about what the experience was like and what advice he would give fellow jewelers about it.
“It was an absolute nightmare,” Corey remembers. “You work to build the integrity of our brand, and suddenly your customer’s credit card is compromised.”
It all started when the Maine Credit Union League noticed customers complaining about phony credit card charges. The one thing they all had in common: They made purchases at Day’s Jewelers around the holidays. Eventually, the Day’s systems were examined and the breach discovered.
The six-store chain went into immediate damage-control mode, hiring a PR firm and reaching out to affected customers.
“I must have communicated with 700 customers,” Corey says. “I answered every email. And it means something when the head of the company personally calls you.”
The company also beefed up security.
“We have gotten to the point where it is overkill,” Corey says. “We have a firm that we pay to break into our system every month, so we have any idea if we have any vulnerabilities.”
“We don’t even save social security numbers and we don’t save credit card numbers. All of that information is deleted immediately. We don’t clear customer credit card numbers with our POS system. We give customers receipts from the little credit card machine. It’s unprofessional and it slows the process down. But we are paranoid.”
The hacking was eventually traced to a “highly sophisticated ring working out of the Ukraine.” Corey doesn’t know if anyone was ever charged with the crime.
In the end, the company spent a lot of money mopping up the mess, even to their card provider.
“The companies credit all the consumers,” he says. “And then what they typically do is come back to the company and fine you. That fine could be any amount of money, from $5,000 to $1 million. And you can’t dispute it, because it is outside the court of law, and if you don’t agree to pay the fine, they won’t let you accept credit cards anymore. So we went overboard and followed their compliance to the highest level and hoped they would recognize that. And that is what happened.”
Corey believes that many jewelers are more vulnerable to security breaches than they realize, and he advises them to examine their systems thoroughly. But he feels the larger problem is that American credit cards use magnetic strips, rather than the more-difficult-to-counterfeit “smart cards” with computer chips that are now standard in Europe. (U.S. companies have been reluctant to adopt this technology because of the cost.)
“What I’ve come to terms with is we shouldn’t worry whether we are going to get breached, it’s what we are going to do when we do get breached,” he says. “I think it’s inevitable. The credit cards we are using are antiqued technology. Until we are using something that is far more secure like they have in Europe, all of us should expect to get breached.”
For more information, read How to Tell If Your Website Is Hacked from the Jeweler Website Advisory Group.