Walmart Protects Cyberthief Privacy While Choosing To Not Prosecute

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

"All that is necessary for evil to triumph is for good men to do nothing." So said Sir Edmund Burke. But the phrase could equally apply to merchants, and their failure to adequately and aggressively investigate and prosecute online credit-card fraud. Rather than aggressively going after these carders, most retailers consider such losses a "cost of doing business." What's worse, company policies actually help to protect thieves and keep information from both investigators and customers alike.

Recently, my wife learned that her credit-card number had been hacked. The attackers first attempted to charge $1 to (NASDAQ:AMZN), a clear attempt to establish that the card was valid. Of course, what should have happened was that the card should have been immediately shut down by the card brand's heuristic algorithm. But it wasn't. The carders next charged a series of $20 transactions to This was undoubtedly charging giftcards, because they can be electronically delivered and filled. Another glaring red flag undetected.

Indeed, in a very short time, the carders purchased more than $700 in small denomination giftcard purchases. When one of these giftcards was accidentally mailed to my house, we realized that the fraud had occurred. We called the card brand, cancelled the card and reported the fraud. What happened next was when things got even more interesting.

We were told that we couldn't get any additional information about the fraudulent use of the card. Then I called Walmart. I told the company about the fraud, and it indicated that I wasn't legally responsible for the charges. Well, no duh. I then asked Walmart for information—not a lot—about the fraudulent charges: When were the charges made; how much were the charges for; where were the items shipped (if at all); and, if Walmart could tell me, what IP addresses were used for the purchases and, if not, at least provide that information to the Secret Service in Arkansas.

That's when I was in for a shock. The merchant told me it couldn't provide me—the cardholder—with information about the use of my own card. This was to protect the privacy of whomever stole the card. Walmart indicated that its policy is to prevent "retribution" against the hackers and that it was merely protecting their identity.

I asked Walmart if it had, or would, report this "crime" to the police, but the company didn't seem to be in any hurry to do so. So, I can call the police, FBI, Secret Service or even Joe Simpson, the Chief of the Bentonville, Ark., Police Department. But if I did so, I wouldn't have any of the information those agencies would need to investigate. Walmart told me that it would have provided me the information if I hadn't reported the card as being misused. But, after all, the company needs to protect the privacy of criminals.

Because when did it become the job of the merchant to protect those ripping off its customers? As I've written recently, consumers have a right under FTC guidelines to know what information a merchant has collected about them.

In this case, the information was about how the thieves used the website. Walmart refused to provide this information. It refused to cancel the giftcards, track their use or conduct any further investigation. What's worse, Walmart refused to involve me—the victim—in the investigation.

Carders and hackers know their crimes may come in under the radar—that the cost of investigation makes it economically unfeasible to pursue these cases. Knowing this, they will continue their cyberthieving, with Walmart protecting their privacy while not prosecuting. Hence, evil triumphs, shopper loses.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.