CLEVELAND, Ohio -- A computer hacker hit Malley's Chocolates two weeks before Easter and stole credit and debit card information belonging to 3,400 customers.
The Brook Park-based candy icon started notifying affected customers last week by mail. The data breach affected consumers who made purchases online, not those who bought items in one of Malley's 23 Northeast Ohio stores.
Consumers are encouraged to notify their banks and cancel their cards immediately -- especially in the case of debit cards because those are linked directly to people's checking accounts.
"It was awful," Malley's Chairman and co-owner Mike Malley said in an interview. "We take our customers' privacy and security very seriously."
Malley said the company learned something was amiss after it was contacted by two customers in two days in March and said they'd had fraud on the cards they used for online orders. Malley's experts confirmed a breach and the company shut down its website for four days while forensic and IT consultants fixed the issues and tested the site's security in various ways.
The company spent weeks determining which customers were affected, and found that there was a "high probability" that information for 3,453 credit and debit cards was stolen, Malley said. He believes the breach was going on for only a couple of days before they caught it and shut the site down.
The data compromised included people's names, addresses, card information and the security code printed on the card that's needed for online purchases. Most likely, the information could not be used to create a counterfeit card, because the thief wouldn't have the internal security code that's on the mag stripe that's needed for an in-person purchase. That code isn't provided during an online purchase.
Malley's took a few weeks to investigate the breach thoroughly, Malley said, and made sure it had a list of every customer affected before it started notifications. The company didn't want to stagger mailings to different people and create more confusion or stress, he said.
Malley's has set up a 24/7 call center to help affected customers, who will need account information from the letter they received if they need help understanding their exposure or what Malley's can do for them.
In this era, hacks affect small companies and monster corporations like Equifax and even supposedly secure government operations. Malley said officials don't know how the site was hacked. He said all of the website's plug-ins and security features were up to date.
The hack came at a bad time for Malley's -- two weeks before Easter -- which is typically one of the company's busiest times.
Consumers who were victims of this or any breach should consider a few safeguards:
- If you used a credit card, notify your bank. Ask whether the company wants to proactively cancel the card and issue a new account number. You are not liable for fraudulent charges as long as you notify the bank within 60 days of the statement the charges appear on. Remember you'll need to notify any entity that makes auto-debits, such as for gym memberships or cellular service.
- If you used a debit card, understand that the thief could drain your checking account. You should shut down your debit card immediately, if you haven't already. If you're hit by fraud, some banks will issue a provisional credit. Some banks will do an investigation before returning any of your money.
- Monitor your affected account regularly -- at least every week, if not every day.
- Sign up for online access for your account before someone else does. And sign up for email or text alerts on your accounts so you're notified about major activity, purchases, withdrawals, etc. This is critical for bank accounts, because debit cards don't have the same fraud protections as credit cards.
- If you used a debit card and know the information was breached, you may want to consider closing your bank account and opening a new one. Or at least, you may want to move the majority of your money that you don't need for expenses to a savings account or an account at another bank. A thief can't steal what's not there.