The Great Knit Picks Fiasco
As most of the knitting world knows by now, if you have purchased anything from Knit Picks in the past few years, your credit card might have been swiped and been receiving fraudulent charges in the past couple months (this in spite of the fact that their web checkout SPECIFICALLY says they don't store your credit card information). They weren't actually hacked--it sounds like the server was sort of unsecured. Now, if you are aware of this, you didn't hear it from Knit Picks themselves. Nope. You would have found out from someone else, most likely Ravelry. That is because vigilant knitters finally found a security breach announcement on the California Attorney General's office, here: https://www.privacyrights.org/node/55899
The California notice says that the breach was made public on February 11. It was cross-posted to a group I'm in on Ravelry on February 15. Knit Picks customers were notified by email or mail...........NEVER. In spite of the fact that 46 states specifically require a breach that gets a customer name AND one other identifying piece of info, such as a credit card or bank account number, be notified ASAP, no one was emailed and according to a poll recently conducted on the Knit Picks Lover's group on Ravlery, as of this morning 160 people purchased during the supposed time frame (which seems to be a gross underestimation) but have not received a letter from Knit Picks.
Finally, after lots of angry emails and a pretty big pummeling on their FaceBook page (which Knit Picks initially chose to deal with by locking their page to other posters), Knit Picks FINALLY released a statement on February 17. Not on the main page of their website, and CERTAINLY not in an email to their customers. Nope, it was buried in their blog on their website and on their Facebook page. Not ONCE has it appeared on their main web page, or in one of the EXTREMELY frequent emails customers get. If you don't happen to follow their blog or FB page, you were screwed.
Now, from my reading, this lack of notification NOT ONLY probably breaks consumer protection laws in almost every state in the union, it's incredibly poor customer service. When LinkedIn got hacked and passwords were exposed, everyone on it immediately received an email warning, even though I'm not sure that was required as it's a free site and I can't imagine what sensitive information could have been gained. But, kudos for looking out for their members. Ravelry was even hacked once, and again, all 2 million members heard about it immediately, and while I'm not sure what anyone could possibly gain from looking at my stash, I changed my password as they recommended. Better safe than sorry, and I appreciate them looking out for me. So the silence from Knit Picks, when almost every single knitter I know who has shopped with them in the last 2 years has been experiencing some sort of credit card fraud, some for several thousand dollars, is disappointing, to put it lightly. Their notice buried on the blog tries to imply that it could be other companies that didn't come forward, but here's the deal: the laws require notification, so unless a whole bunch of companies have chosen to violate consumer protection laws, that is unlikely. It would also be statistically unlikely that the only group of people I know getting nailed with widespread credit card fraud this year are knitters if it was another company. It is also extremely unlikely that if Knit Picks had actually mailed letters to their customers before their statement on February 17, it again seems statistically impossible that the poll conducted among a group of people who are self-proclaimed FANS of Knit Picks would show that there are 160+ people who bought during the time frame Knit Picks said were the customers affected and notified who HAVE NOT received a letter, and ZERO have. I mean, snail mail might not be the fastest thing on the planet, but three weeks is sufficient time for a letter to take a few detours and still have been delivered. I'm not sure there's anyone left in the knitting world who believes those letters were ever sent.
I've actually been a big fan of Knit Picks for probably about 10 years. I was buying from their catalog before they even had their yarn line. But, there is just no justification for how they have been behaving during this. Luckily, while it looks like someone did try to do something to my personal card, Bank of America sent me a new card before I even knew what had happened, so I haven't had the problems others have been having. That still doesn't change that Knit Picks could not possibly have handled this in a worse manner. Had they emailed customers as soon as they discovered something was wrong--even if it said they weren't sure who was affected and who wasn't, but that customers should take proactive steps and put their cards on fraud alert just in case--I don't think anyone would be upset. As knitters, we probably would have rallied to their side as one does NOT attack one of our own. But the stonewalling, lack of communication, disregard for their customers, and denial is unforgivable. I don't think they've even done what they were LEGALLY required to do, much less what they MORALLY should have done. It's too bad, as I have liked their yarns, but I just can't do business with them again. Doing business with a company on-line requires trust of that company, and after their handling of this, I know they no longer have mine.
The California notice says that the breach was made public on February 11. It was cross-posted to a group I'm in on Ravelry on February 15. Knit Picks customers were notified by email or mail...........NEVER. In spite of the fact that 46 states specifically require a breach that gets a customer name AND one other identifying piece of info, such as a credit card or bank account number, be notified ASAP, no one was emailed and according to a poll recently conducted on the Knit Picks Lover's group on Ravlery, as of this morning 160 people purchased during the supposed time frame (which seems to be a gross underestimation) but have not received a letter from Knit Picks.
Finally, after lots of angry emails and a pretty big pummeling on their FaceBook page (which Knit Picks initially chose to deal with by locking their page to other posters), Knit Picks FINALLY released a statement on February 17. Not on the main page of their website, and CERTAINLY not in an email to their customers. Nope, it was buried in their blog on their website and on their Facebook page. Not ONCE has it appeared on their main web page, or in one of the EXTREMELY frequent emails customers get. If you don't happen to follow their blog or FB page, you were screwed.
Now, from my reading, this lack of notification NOT ONLY probably breaks consumer protection laws in almost every state in the union, it's incredibly poor customer service. When LinkedIn got hacked and passwords were exposed, everyone on it immediately received an email warning, even though I'm not sure that was required as it's a free site and I can't imagine what sensitive information could have been gained. But, kudos for looking out for their members. Ravelry was even hacked once, and again, all 2 million members heard about it immediately, and while I'm not sure what anyone could possibly gain from looking at my stash, I changed my password as they recommended. Better safe than sorry, and I appreciate them looking out for me. So the silence from Knit Picks, when almost every single knitter I know who has shopped with them in the last 2 years has been experiencing some sort of credit card fraud, some for several thousand dollars, is disappointing, to put it lightly. Their notice buried on the blog tries to imply that it could be other companies that didn't come forward, but here's the deal: the laws require notification, so unless a whole bunch of companies have chosen to violate consumer protection laws, that is unlikely. It would also be statistically unlikely that the only group of people I know getting nailed with widespread credit card fraud this year are knitters if it was another company. It is also extremely unlikely that if Knit Picks had actually mailed letters to their customers before their statement on February 17, it again seems statistically impossible that the poll conducted among a group of people who are self-proclaimed FANS of Knit Picks would show that there are 160+ people who bought during the time frame Knit Picks said were the customers affected and notified who HAVE NOT received a letter, and ZERO have. I mean, snail mail might not be the fastest thing on the planet, but three weeks is sufficient time for a letter to take a few detours and still have been delivered. I'm not sure there's anyone left in the knitting world who believes those letters were ever sent.
I've actually been a big fan of Knit Picks for probably about 10 years. I was buying from their catalog before they even had their yarn line. But, there is just no justification for how they have been behaving during this. Luckily, while it looks like someone did try to do something to my personal card, Bank of America sent me a new card before I even knew what had happened, so I haven't had the problems others have been having. That still doesn't change that Knit Picks could not possibly have handled this in a worse manner. Had they emailed customers as soon as they discovered something was wrong--even if it said they weren't sure who was affected and who wasn't, but that customers should take proactive steps and put their cards on fraud alert just in case--I don't think anyone would be upset. As knitters, we probably would have rallied to their side as one does NOT attack one of our own. But the stonewalling, lack of communication, disregard for their customers, and denial is unforgivable. I don't think they've even done what they were LEGALLY required to do, much less what they MORALLY should have done. It's too bad, as I have liked their yarns, but I just can't do business with them again. Doing business with a company on-line requires trust of that company, and after their handling of this, I know they no longer have mine.
Comments
I had to find out by my bank freezing my card and calling me to say that the information was stolen.
As a result, my bank then made some mistakes on top of it that caused me to be completely without access to my [only] bank account for a month now (still waiting for my new debit card).
It's been a horror story and I don't think I can trust knit picks again after this.
However I do know why free sites notify- it's because some people reuse passwords, and if someone gets your email and password for one site, they might try it on others that have more potential for fiscal abuse.
KnitPicks' 'new' website is now fraught with problems: email confirmation of orders does NOT happen -- a HUGE security issue in my mind. Customer support is absolutely useless. After ten email exchanges specifically asking for that document, not once was I told of the security breach, and I did purchase during their breach timeframe. I learned about it by accident (Ravelry) and have been on the warpath ever since.
I've received ZERO email or snail mail from them on this issue, It absolutely flabbergasts me that KnitPicks and Crafts Americana can be so guarded for themselves and not give a rats ass about their paying customers!
I, for one, will NEVER buy from them again. Ever.
I received zero notice of this breach and while attempting to find out more have come across multiple broken links to the CEO statement on the Knit Picks blog which no longer exists.
I am furious.
Will never ever do business with them again.
I was also never notified by Knitpicks.
thanks for the post/information
I bought during the supposed time frame and was totally compromised not only on the card I used then but for every card I ever used on their site. I never got an email, a letter - nothing but attitude when I emailed them to tell them to remove my account entirely. The only one they were concerned about in all of this was themselves. I vowed when this happened that I would never order from them again and I still stand by my vow. I mention this here and now because I have seen so many who were hurt by them go crawling back now that they have such a great sale going on. They do not deserve my business, they do not deserve anyone's business because they cannot be trusted. PERIOD. END OF STORY. NO TRUST = NO ORDERING.
I just wanted to say, though, that it's possible to hack a website in such a way that you can gather up credit-card numbers as they are used and processed. The site doesn't have to store the CC numbers. So it's possible, however unlikely, that KnitPicks told the truth about their credit-card number storage habits, at least.
The problem is that they didn't even tell people they'd been hacked, much less how the hackers operated. So we'll never know for sure.