Last Saturday, I got up and my wife asked me about a $700 charge on our account. I’m like uh-oh, so I go through the motions to fix it. It happens to lots of us, and sometimes we don’t even know how. A week later I find out: my card was breached when I ordered parts from Char-Broil.
It’s sadly a common occurrence. I have had friends that are less careful than I am have had this happen multiple times. I am very careful and mostly I only order from places that I trust. I thought I trusted Char-Broil. I love my grill, but I needed parts. I thought I was safe. So when my wife told me about it, my first thought was that the card likely got scanned when I was traveling for work a few weeks ago in North Carolina. Imagine my surprise when I get this letter out of the blue from Char-Broil.
In the letter it said:
“On April 21, 2017, we discovered that an unauthorized third-party uploaded malicious computer code to the system that hosts Charbroil.com. Upon discovering this attack, we took immediate actionto protect consumer information. We removed the code, we notified law enforcement of the criminal activity, and engaged leading forensic experts to assist our company in investigating the security incident. Based on this investigation, we believe that the code was present when customers made purchases via the online store during approximately March 22, 2017 and April 21, 2017, and that the code may have been used to obtain customer payment card transaction information for a limited number of transactions during that time. You are receiving this notice because our records indicated that you made a payment card purchase during that time.”
Further down the letter, it said:
“The information potentially impacted includes information provided when making a payment card purchase on Charbroil.com during the time frame above, including your name, billing address, phone number, payment card number, expiration date, and CVV2 code.”
Basically, they had anything they needed to make a card of their own, and that is what they did in my case. They made a $700 purchase at Straight Talk.
Things I am thinking about here: Was Char-Broil storing the card numbers? If they did, they obviously were storing them without encryption or with weak encryption. It’s also possible the malware was embedded in the website itself, so it could just skim the data as I put my order in. I am not 100% sure.
How do you prevent this? That’s a good question. I think that it’s virtually impossible to prevent this if you purchase anything online or in person. The situation I describe above was on the web, but it’s just as common for people to get their card data taken at a restaurant, in a sketchy ATM, at the gas station. Even without the card leaving your wallet, or if you have a card with an RFID tag. RFID tags are commonly used on cards that support MasterCard PayPass or Visa payWave. However, what I have started thinking about doing is wherever I am, if they take Android Pay or Apple Pay, I use it. (Android Pay in my case). The reason is that both of these do not share the actual card number tied to the account in question, so even if a thief got the data it would be useless. That’s what I would do in person. Online, I will continue to use Amazon and eBay and other places that do a much higher volume with a much higher budget for security. If I need a part for something like a grill, I’d be more apt to purchase it on Amazon versus the company website. I like Char-Broil grills, but their main purpose is to sell grills, not parts. I may use their site to get the part numbers, but from now on I will search for the part on Amazon and only purchase direct if it’s the last resort.
Fortunately or maybe, UNFORTUNATELY, this is common enough that when I called my bank, I pointed out the transaction, they replaced the money almost instantly, and I walked into my bank (Chase, if you’re wondering), and I walked out with a new card and no waiting for a week until I could use my card again.
Whatever you do, if it happens to you, don’t fret; take advantage of a monitoring service like Equifax if you are affected by a breach.