If you have ordered from Knit Picks, keep a VERY close eye on whatever card you used to do so. While the company hasn’t bothered to notify their customers, the California Vermont AGs office posted about the breach on February 11 February 7. Of course you’ve still been getting your emails from KP pushing their products.
While the KP site says they don’t store your credit card info, it appears (admittedly this is just heresay) they’re lying about that. Cards are actively being exploited now. Certainly if you ordered between Thanksgiving 2012 and January 25, 2013 you should seriously consider contacting your financial institution and getting a new card issued immediately. We ordered a new card last night on the account my husband used for my Christmas present (ironically I sent him there for the tools because it’s a “reputable” company). I haven’t ordered anything for quite some time, so I’m holding off on replacing the card I use for online shopping.
The Knit Picks web site and blog still haven’t mentioned the issue. PR? They’re failing hard right now.
It had been even longer than this past Thankgiving since I ordered from them and I had a substantial unauthorized use of my card on January 29. Thankfully I found out about it right away thanks to WalMart’s fraud department that contacted me about the charge before completing it. I cannot confirm KnitPicks was the source of my problems, but I am certainly suspicious now. I went on their website to attempt to delete my account with them entirely, but they did not have an option for that. I emailed them, they emailed me back and said they were contacting persons affected. They never contacted me. Their handling of this has been atrocious. I was already dissatisfied with the company. My most recent order took an inordinate amount of time to be delivered and was incorrectly filled further delaying my receipt of ordered and charged items. This ends my relationship with KnitPicks.
Yikes! Thanks for the heads-up. How unsettling.
They have to have the credit card info stored temporarily….how else could they charge you?
Lots of major retailers and companies have had breeches like this…and more will, too. Better programming practices are needed.
Without having had a breech of this sort, a few times in the past, our credit card company has called us, to report weird purchases. More than once it was fraudulent use of our card. A few times it was us, traveling, or buying something unusual and large. I am glad they call to check!
I usually respond to comments privately, but this needs to be public.
The retailer absolutely does NOT need to store the card number to charge you. The processing company API lets the web server pass the info to them and get back the authorization code. There is no reason – NONE – for them to store the information.
KP also specifically states they do not store your card information. However, if you go look at their parent company web site, they say they do. So KP chose to lie by omission. Legal? Yes. Shitty ethics? Absolutely.
I’ve had servers under my watch hacked, and it’s a horrible feeling when you realize it. It does happen, absolutely. The only truly secure system is the one that has no connections and no keyboard, monitor, or USB/SD/whatever port. Obviously that’s not a very useful system either.