Date: October 31, 2013
Harbor Freight Tools Acts to Notify and Protect Customers
Calabasas, CA – Over the summer, Harbor Freight Tools' payment processing system was illegally attacked by cyber-criminals. The attack was similar to attacks reported by other national retailers. In response, we immediately engaged a leading cyber-security company to investigate and notices were posted in every store and on our website. We blocked the attack and adopted enhanced security measures to make our systems more secure than ever.
Fortunately, this incident was limited to credit and debit card transactions made in our stores during a relatively short seven week period (May 6, 2013 to June 30, 2013). Transactions after June 30, 2013 were not affected. For nearly all of these transactions, we believe that the attacker only found "track 2" data-information on the card's magnetic stripe that contains only the card account number, expiration date, and card verification number. For less than 1% of these transactions, the attacker may have found data that also included the cardholder’s name.
Because we cannot identify which specific cards or information were actually taken, we are notifying our customers whose cards were used during the May 6, 2013 to June 30, 2013 time frame at each impacted store. For most of those purchases, we do not have sufficient information to identify the name or address of the customer. For those customers that we have addresses for, we began mailing letters to them on October 30. You can view a copy of the letter here. If you used your card in one of our stores during the seven week period and did not receive a letter, you should review the additional information below on ways to protect yourself.
If you see a fraudulent charge on your card, please immediately contact the bank that issued your card. Major credit card companies typically guarantee cardholders will not be responsible for fraudulent charges. Please be on the lookout and review your account statements for any unauthorized activity.
We regret any inconvenience this may cause. Keeping customer information secure is a top priority at Harbor Freight and we will continue to work to make our network more secure. If you have questions, please call us toll free at 1-877-216-4023, Monday thru Friday, 9am to 7pm (EST), and use the following ten digit reference number when calling: 4471100813.
Chairman & CEO
Harbor Freight Tools
Frequently Asked Questions
What customers may be affected?
This incident was limited to credit and debit card transactions made in stores during a relatively short seven week period (May 6, 2013 to June 30, 2013). Transactions after June 30, 2013 were not affected.
Can you tell me whether my specific card was affected?
The investigation did not find any files containing card data actually captured during the attack, so Harbor Freight Tools does not know with certainty which cards were affected or what data from any specific card might have been captured. We are continuing to work with law enforcement to pursue the individuals behind the attack.
How many stores were affected?
Most, but not quite all, of the stores were affected.
What should I do if I think my card might be affected?
If you see a fraudulent charge on your credit or debit card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. Major credit card companies typically guarantee cardholders will not be responsible for fraudulent charges.
Harbor Freight’s payment processor has been working with the credit card companies to provide them with the account numbers for cards used during the seven week period so that the banks that issued those cards can be alerted. When banks receive these alerts, they can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.
What personal information could have been accessed?
For nearly all of these transactions, it is believed that the attacker only found "track 2" data—information on the card's magnetic stripe that contains only the card account number, expiration date, and card verification number. For less than 1% of these transactions, the attacker may have found data that also included the cardholder’s name. Harbor Freight cannot identify for any specific card whether the card was actually taken or, if so, which information from the card was taken.
MORE INFORMATION ON WAYS TO PROTECT YOURSELF
We recommend that you remain vigilant by reviewing your account statements and credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com, 1-800-525-6285
Experian, PO Box 9554, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 6790, Fullerton, CA 92834, www.transunion.com, 1-800-680-7289
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the attorney general’s office in your home state. Contact information for the Federal Trade Commission is as follows:
600 Pennsylvania Avenue, NW
Washington, DC 20580
You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.
If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
If you are a resident of Massachusetts, note that pursuant to Massachusetts law, you have the right to obtain a copy of any police report.
Massachusetts law allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.
The fee for placing a security freeze on a credit report is $5.00. If you are a victim of identity theft and submit a valid investigative report or complaint with a law enforcement agency, the fee will be waived. In all other instances, a credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze. If you have not been a victim of identity theft, you will need to include payment to the credit reporting agency to place, lift, or remove a security freeze by check, money order, or credit card.
To place a security freeze on your credit report, you must send a written request to each of the three major reporting agencies by regular, certified, or overnight mail at the addresses below:
PO Box 740241
Atlanta, GA 30374
PO Box 9554
Allen, TX 75013
PO Box 6790
Fullerton, CA 92834
In order to request a security freeze, you will need to provide the following information:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security number
- Date of birth
- If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.)
- If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number ("PIN") or password or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716-6400.
If you are a resident of West Virginia, you also have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for each of the three credit reporting agencies is located on the second page of this letter. As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file.
You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.
You may also obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to West Virginia law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a unique personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the distribution of your credit report for a period of time after the freeze is in place. To provide that authorization, you must contact the consumer-reporting agency and provide all of the following:
(1) The unique personal identification number or password provided by the consumer-reporting agency;
(2) Proper identification to verify your identity; and
(3) The period of time for which the report shall be available to users of the credit report.
A consumer-reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three business days after receiving the request.
A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities.
If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, a few days before actually applying for new credit.
You have the right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer-reporting agency.
Fecha: 31 de octubre, 2013
Harbor Freight Tools Actúa para Notificar y Proteger Sus Clientes
Calabasas, CA – Durante el verano pasado, el sistema de procesamiento de pago de Harbor Freight Tools fue atacado ilegalmente a través de un ciberataque criminal. El ataque fue parecido a los que fueron declarados por otros comerciantes minoristas nacionales. En respuesta, contratamos a una destacada agencia de seguridad informática inmediatamente para examinarlo, y noticias fueron publicadas en cada tienda y en nuestra página web. Bloqueamos el ataque y aumentamos medidas de seguridad para hacer nuestros sistemas más seguros que nunca.
Afortunadamente, este incidente fue limitado a transacciones de tarjetas de crédito y débito hechas en nuestras tiendas durante un periodo de tiempo relativamente corto de siete semanas (el 6 de mayo, 2013 hasta el 30 de junio, 2013). Transacciones después del 30 de junio, 2013 no fueron afectadas. En casi todos los casos de las transacciones, creemos que el atacante solo encontró “Track 2” data—información en la banda magnética de la tarjeta que contiene el número de la cuenta asociada con la tarjeta, la fecha de vencimiento, y el número de autenticación en la tarjeta. En menos de un 1% de estas transacciones, el atacante podía haber encontrado data que también incluye el nombre del titular.
Como no podemos identificar cuales tarjetas especificas ni cual información fueron capturados durante el ataque, estamos notificando clientes cuyas tarjetas fueron usadas durante el periodo de tiempo desde el 6 de mayo, 2013 hasta el 30 de junio, 2013 en cada tienda impactada. En la mayoría de las ventas, no tenemos información suficiente para identificar el nombre ni la dirección del cliente. Para esos clientes cuyas direcciones tenemos, empezamos a enviarles cartas el 30 de octubre. Puede ver una copia de la carta aquí [PDF]. Si usted ha usado su tarjeta en una de nuestras tiendas durante el periodo relativo de siete semanas y no recibió una carta, debería repasar la información adicional abajo sobre distintos pasos para protegerse.
Si usted ve una carga fraudulenta en su tarjeta, por favor contacte el banco que expidió la tarjeta lo antes posible. Las compañías principales de tarjetas de crédito normalmente aseguran que los titulares no serán responsables por cualesquiera cargas fraudulentas. Por favor, preste atención y revise su cuenta bancaria para cualquiera actividad desautorizada.
Lamentamos cualquier inconveniencia esto puede causar. Proteger la información de nuestros clientes es una prioridad de máxima importancia en Harbor Freight y continuáremos trabajar para asegurar nuestro sistema. Si tiene preguntas, por favor llámenos a la línea gratuita al 1-877-216-4023, code: 4471100813, lunes a viernes, 9 de la mañana hasta 7 de la tarde (HORA ESTANDER DEL ESTE).
Presidente, Harbor Freight Tools