Advanced Auto Parts Scrambles to Placate Customers Following Data Breach

A network intrusion at Advance Auto Parts has put the credit card, debit card and checking account information of up to 56,000 customers in jeopardy.

Data security at 14 stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, has been compromised, according to the auto parts retailer.

The security breach is now the subject of a criminal investigation by state and federal agencies. The company is also conducting an internal investigation.

Repairing the Damage

Advance Auto says it is putting in place a number of measures designed to help the affected customers assess the situation so they can take appropriate steps.

"Safeguarding our customers' confidential financial information is extremely important," said Darren Jackson, president and chief executive officer. "We take this responsibility very seriously."

For starters, AAP is establishing a toll-free number with dedicated resources for customers who made purchases in the 14 stores. That number is (800) 704-1154. It will be in operation through May 31. Advance is also offering credit monitoring at no cost for one year.

In addition, it has notified its credit, debit and check processors, and has started sending letters directly to the impacted customers it has been able to identify. Such notification is required by law in many states.

If they do not receive a letter, customers who purchased products in the 14 stores can call the toll-free number to find out if they have been impacted.

Better Than Most

If he were to rate Advance Auto's response to the data breach against other firms in similar situations, the company would get a better than average grade, said Adam Levin, cofounder of Identity Theft 911.

"They've done pretty good," he told CRM Buyer. "Their efforts are not as complete as they could be -- but relative to the universe they find themselves in, an internal investigation, proactive notification and credit monitoring is about as good as you can expect."

Banked for Future Use

Still, these measures don't take into account the long shelf life stolen customer data has, said Levin.

A year has become more or less standard for a retailer's mea culpa to customers whose data has been purloined, but identity thieves often hold onto stolen data longer, in the hope of lulling customers into complacency after an initial period of watchfulness.

A year of credit monitoring might not be enough -- but even if credit monitoring were to be extended beyond a year, it's still limited, Levin pointed out.

Public record monitoring should be part of the package, he suggested.

The biggest disservice retailers and vendors have been guilty of after such events is giving customers a false sense of security. AAP, for instance, said it believes the incident has been contained. While that may mean that the breach has been discovered and the security hole patched, it doesn't mean that stolen customer data won't be used in the future.

"This data is banked inventory for thieves that can be used over a period of time," Levin said.

Turning the Page

It is hardly surprising that companies do not spell out the full danger their customers may be in after a security breach, Scott Montgomery, vice president of global technical strategy at Secure Computing, told CRM Buyer.

Companies only make disclosures because there are laws that require them to do so, he bluntly said.

"I don't think any company is looking for ways to extend their efforts beyond what they have to do in order to do right by their customers. Instead, what they want is for some other news story to develop so they can get out of the spotlight," Montgomery remarked. "They are just waiting for the calendar page to turn."

Best-Case Scenario

Assuming there are companies out there willing to put their reputations on the line in the wake of a data breach, Glenn Ballard, director of Information Security at G&B Solutions, offers the following tips.

Before the breach, do some planning, he told CRM Buyer. "This plan must be tested, maintained and updated on a regular basis."

During and after the breach, "your clients will feel vulnerable, confused, and scared -- you should be concise and accurate in the information it provides." Also, have a "SWAT" team immediately available to manage the process, he added.

"If corporations act properly after a breach they will keep their current customers and potentially gain new customers through the respect/maturity of how it was handled," Ballard said.