Credit Card Compromised at TackleWarehouse

[Drakestar]

On Dec 12, I got a fraud alert from my credit card company. Somebody was making several unauthorized $1000+ purchases in my name. Of course I closed the card right away and cleaned up my record with them. I now have to change payment methods all over the place. It’s happened before and it’s not the end of the world, but it IS a big hassle. I’m also getting significantly more spam on the email linked to my old card at the breached store.

Last night, I got an email from Tackle Warehouse, telling me that my CC information had been stolen in a data breach of their system. It doesn’t offer any restitution, just a bunch of “what you can do” information. The kicker is that per email, they knew that my information was affected on November 29, but didn’t inform me until now. If I’d known right away, I could have prevented a bunch of hassle by preemptively locking the card. The fraud happened on Dec 12.

I’m kinda pissed. I know TW is a board sponsor, and if this post is inconvenient to Zander and Cal I don’t mind it being taken down (I don’t want TackleTour to lose sponsorships). But I figured it was fair game to post. For one, I expect that quite a few members shop at TW and might have been affected. And the way they handled this is not great. I spent over $8000 at TW in 2021 alone (I’m ashamed to say I just did that math) and after they expose me to identify theft (which then happened!) all I get is a too-late notice of the breach and I’m left to clean up the mess myself. I think I’ll use a different store for a while.

[Hogsticker2]

The world is becoming quite nasty. I'd be upset as well, that they chose to notify you so long after it was known. Could have saved you some sanity for sure.

[DrPerf]

You might consider using PayPal for retail transactions when that is an option. You can link one or more credit cards to PayPal and then specify which card is to be used for a transaction. The retailer never has access to the credit card information. PayPal has a decent record for keeping private information secure. I use PayPal for all retail transactions where that is an option. If PayPal is not an option, I strongly rethink the transaction if not from a major retailer, which somewhat increases the probability of protected private information.

After 40+ years in the computing technology field, I am still amazed at the appalling lack of security for private information at even some major retailers. So, it is even more concerning when dealing with a small to medium-sized retailer who has only a moderately functional website that I can determine has minimal to inadequate private information security.

In addition to your ‘everyday’ hacker, there are state-sponsored groups that are tasked with acquiring personal information for fraudulent purposes. In some instances, the financial ‘bounty’ from that state sponsored activity is considered part of the country’s economy. So, we are only not considering individual hackers, but state sponsored groups with some ‘horsepower’ behind their hacking activity.

In addition to using PayPal and eliminating retailer direct access to your credit card information, there are a few other steps that can be taken to increase security and decrease potential infection vectors. To start, do not use any of your personal and/or business email addresses for online shopping or online financial transactions.

When you send a personal email or a business email to an individual, you have no control over your email address at that point. Your email address is now “in the wild”. If the recipient’s device (phone/tablet/laptop/workstation) has been infected or infected at a later date. The malware infection can be directed to ‘harvest’ all of contacts (email addresses) on that infected device. Then the spam and possible other intrusions begin appearing at the sender’s email address.

No matter how secure the sender’s device and email software is, using an email address as described above will almost ensure an “uptick” in spam and possible malware intrusion attempts. And the number of people with unsecured or minimally secured devices and email software is staggering. I have won every bet with relatives and friends that within fifteen minutes of inspecting their laptop or workstation, I will find multiple malware infections and end up cleaning them.

So, what can you do? Assuming your device (tablet/laptop/workstation) is secure using adequate malware protection and preferably using an internet connection (hardwired or WiFi) behind a hardware router with a hardware firewall, you are at a good starting point. The router and firewall will generally be the case in most home network configurations by default. If you use your phone for online shopping and/or financial transactions, do not use the cellular connection because there is not good privacy protection with that type of connection. Connect your phone to a secured WiFi router as described above. If you cannot access that type of connection, seriously rethink using your phone for that type of transaction.

The final step is to create one or more purpose-specific email addresses in a different domain from your personal/business email address domain(s), which will only be used for online shopping and/or financial transactions and personal or business emails to individuals.

My setup for the past three years is as follows:

“online shopping email address”@”free domain”
“financial transactions email address”@”free domain”
“government email address”@”free domain” (VA, Social Security, DMV, etc.)

For example, "my.online.shopping@gmail.com" for online shopping transactions. In the three years that I have used this type of email setup, I have yet to receive any spam to those three email addresses.

Hope that you find this information helpful.

Regards,
Doc

[IlliniDawg01]

I stopped worrying about my credit cards getting stolen years ago. Be sure to use an actual credit card and not a debit card and you are essentially free from risk. Any fraudulent purchases are guaranteed to be covered by the credit card company and refunded to your account. Usually, they catch them before I do.

That, coupled with the cash back you get from every purchase, and the simple way to build credit history makes credit cards fantastic for responsible consumers.

If you are extra paranoid, many card issuers have mobile apps that will show an alert on your phone every time a purchase is made on your account in real time. I use this mostly to keep an eye on monthly charges changing and my wife's spending but i have caught a couple of fraudulent purchases as well. I can report them right from the app.

[Polkfish1]

Huh; happened to me also right around the same timeframe. Thought it might have been a different tackle retailer I had just bought from, but there could have been a TW purchase also in there somewhere. I guess it’s that time of the year too. No biggie though; spent some time on hold with a bank agent and cleared up pretty easy. I think I had to cancel at least 2 cards like this in ‘21. Maybe I’ll look into the advice posted above.

Funny too; the fraudulent charges were made to an “FLW”, which made me think someone was using my card to pay next year’s tournament fees. But I realize it was just a coincidence since it’s all MLF and BPT now.

[DrPerf]

Many banks offer zero liability debit cards or if not, timely reporting of debit card loss or a fraudulent transaction will limit your liability to a minimal amount ($50) if anything at all.

Not all credit cards offer rewards, so that is not an overall factor for the use a credit card vs. a debit card. But I agree that using cards with rewards is a good thing. All of my credit cards, personal and business, are “working” cards. In fact, my wife and I accumulated so many AMEX Reward Points that we completely replaced all laundry and kitchen appliances from Home Depot using nothing but those reward points

If you experience fraudulent transactions with a credit card, you will have to spend the time to cancel the card, receive a new card, and if used for online payments, make the corresponding changes to those accounts. If a modicum of prevention can eliminate or significantly reduce the number of times a person has to go through that process, it would seem the prudent thing to do.

If this issue is occurring somewhat frequently (more than once every year or two), I would suggest it is an ‘operator’ issue not credit card institution issue. And would consider a process to better secure online shopping and/or online financial transactions such as described in my previous post. Use of PayPal with credit cards still accumulates credit card rewards, if the cards offers rewards, and continues to build your credit history when used responsibly.

But if you do not mind spending the time to cancel the compromised card, waiting for a new card and possibly having to make updates to online shopping/financial accounts where the card was used, I “bow” to that ‘laissez-faire’ approach


Regards,
Doc

[hoohoorjoo]

I, too, got an email from them, saying my info may have been compromised. However, the card I last used there was already compromised, cancelled and replaced due to another instance of identity theft earlier this year. I didnt leave any of my info on file, told them no when they asked at my last order. It is only getting worse, I'm afraid.

[Finnz922]

I got hit. My debit card and scheels card through Tacklewarehouse getting hacked. Not mad at them, just the low life scum that ruined a night sleep because I got hit in the middle of the night and was up all night with multiple fraud departments.

[amso4]

I only use virtual credit card numbers if PayPal is not an option. Capital One has Eno that lets you create a unique virtual credit card number for a merchant. Another benefit besides the unique card number is that you can put an amount or time limit to the card. This works for signing up for trials that force the use of a CC. With Eno you can provide the card, then turn it off if you like.

[Cal]

I changed the title of this discussion thread.

"TackleWarehouse Leaked my Credit Card" - infers TackleWarehouse intentionally gave out your credit card information. They were hacked and the information for many individuals was compromised. This is a valid discussion. Let's just make sure the circumstances are accurately represented.

[Finnz922]

I changed the title of this discussion thread.

"TackleWarehouse Leaked my Credit Card" - infers TackleWarehouse intentionally gave out your credit card information. They were hacked and the information for many individuals was compromised. This is a valid discussion. Let's just make sure the circumstances are accurately represented.

Thanks Cal. You are correct

[SteveSchmelzle]

November 29th eh.

I wonder if that was the source of my attack.

I had my CC maxed out on December 4th. Had to get it cancelled/reversed, etc.

I purchased from TW in September.

But I didn't get an email from TW telling my my card was compromised.

As for the time it took to get everything back to normal? 20 days. That's how long it took my bank to remove the charges.

[Polkfish1]

Huh; happened to me also right around the same timeframe. Thought it might have been a different tackle retailer I had just bought from, but there could have been a TW purchase also in there somewhere. I guess it’s that time of the year too. No biggie though; spent some time on hold with a bank agent and cleared up pretty easy. I think I had to cancel at least 2 cards like this in ‘21. Maybe I’ll look into the advice posted above.

Funny too; the fraudulent charges were made to an “FLW”, which made me think someone was using my card to pay next year’s tournament fees. But I realize it was just a coincidence since it’s all MLF and BPT now.

Quick update on this. I received an email today informing me that my card was in fact compromised via TW. Same card that I had to cancel/replace. Email came a couple weeks+ after everything went down. Better late than never. In my case, the bank does an investigation of the fraud, so it’s useful to have this information just in case.

[BRONZEBACK32]

yup, I got the same email

[jpmoney]

Yep, I got my CC compromised as well. I made a TW purchase on Nov.23, and got a text msg on Nov.26 from my CC company indicating a $700+ fraudulent purchase was attempted at amazon. The CC company detected it right away which I'm grateful for, but this has me concerned going forward. Going to have to use PayPal from now on. It's sad to say this is happening but it's the day and age we are living in.