Penney’s From Heaven

I recently got a free gift from Bank of America (NYSE: BAC). Well, not quite free. BofA sent me a replacement Visa card without being asked! How strange, I thought, when my credit card was still good for six months. The letter that came with the card said my account information had been compromised, so the bank had to change my credit card number.

My wife did some detective work, starting with a call to BofA customer service. The representative told her a merchant that had accepted my Visa had been hacked. Our personal data was stolen, so the bank had no choice but to issue the new card prematurely.

Curious, my wife asked, "Which merchant?" The response: "Can't tell you that." She did learn that when word got out in 2007 that TJ Maxx (NYSE: TJX) had been hacked two years earlier, fearful customers nearly put the company in bankruptcy.

So now the sounds of silence fall whenever something like this occurs. The customer receives a new card with a new number and hopes for the best. But let's not forget about all those incidentals that accompany this transaction. I had to give my new number to merchants that direct debit from my card, like the E-ZPass system that lets you prepay your tolls in the New York area. E-ZPass would have been unable to accept my now-defunct card, leaving me at the unpleasant mercy of toll collectors on a bridge one day.

My overly curious wife continued her detective work. She went back and looked at the monthly credit card bill. Obviously, this had to have been a big break-in, and she noticed that the only purchase made (besides those involving the usual local merchants) was one at JC Penney (NYSE: JCP). Did a clever hacker penetrate its firewall and steal credit card account information?

Chances are we will never know. Companies have become very reluctant to divulge this kind of stuff. Cyberattacks happen all the time. As we have learned, they are even carried out by our government, which launched a "worm" against the Iranian nuclear effort. The only problem: Once uncovered, the same worm could be turned around -- and launched back at us.

If you look for recent stories about the merchant breach, you won't find many. I happened to close my LinkedIn (NYSE: LNKD) account just before it got hit with that massive break-in. And I've never accepted a debit card. Unlike with my credit card, any breach involving a debit card number would mean money directly out of my account.

Over the years, I've written many stories about hackers. One thing I can tell you is that they work both sides of the street. They'll exploit a company's weaknesses and then offer to repair the damage. And they are reaching farther up and even attacking the cloud, which offers storage and data services to companies and individuals. You can get insurance if you are a cloud service provider, but that doesn't do anything for the customers.

Hackers (particularly foreign ones) operate with virtual impunity, unless they are really stupid. One of the legendary stories about New York Mayor Mike Bloomberg is that he got a Russian blackmailer who had found a flaw in the Bloomberg system to come to London. The Russian was promptly arrested, but he is probably "reformed" and now has a lucrative career with a computer company trying to stop other hackers.

So what do you do? A gambler would say, "Play your credit cards close to the vest."