Harbor Freight Tools USA notifies customers that payment processing system was hacked (updated)
Harbor Freight Tools USA has been notifying customers of a hack that occurred in May and was discovered on July 2. In their letter, they write:
Over the summer, Harbor Freight Tools’ payment processing system was illegally attacked by cyber-criminals. The attack was similar to attacks reported by other national retailers. In response, we immediately engaged a leading cyber-security company to investigate and notices were posted in every store and on our website. We blocked the attack and adopted enhanced security measures to make our systems more secure than ever.
Fortunately, this incident was limited to credit and debit card transactions made in our stores during a relatively short seven week period (May 6, 2013 to June 30, 2013). Transactions after June 30, 2013 were not affected.
For nearly all of these transactions, we believe that the attacker only found “track 2” data— information on the card’s magnetic stripe that contains only the card account number, expiration date, and card verification number. For less than 1% of these transactions, the attacker may have found data that also included the cardholder’s name.
Because we cannot identify which specific cards or information were actually taken, we are notifying our customers that we have been able to identify whose cards were used during the May 6, 2013 to June 30, 2013 time frame at each impacted store. We believe your card was in this group.[…]
Those affected were not offered any free credit monitoring services. If customers have questions, they can call toll-free 877-216-4023, Monday through Friday, 9 a.m. – 7 p.m. EST, and use the following ten digit reference number when calling: 4471100813.
Their web site notice is still available on their site, linked from the home page as in a small link to “credit card information.” Hopefully, it was more prominently linked at some point. The notice indicates that Harbor Freight Tools first learned of the breach from credit card companies.
Update: The breach was also reported to New Hampshire with an updated explanation of what the firm went through investigating and trying to notify customers. It sounds like they made a really conscientious effort to ensure consumers were alerted, so good for them! Thirteen New Hampshire residents were affected.
Update 2: The breach was also reported to Maryland, where they reported that 2,648 Maryland residents were affected.