Pages

Sunday, March 10, 2013

The Great Knit Picks Fiasco

As most of the knitting world knows by now, if you have purchased anything from Knit Picks in the past few years, your credit card might have been swiped and been receiving fraudulent charges in the past couple months (this in spite of the fact that their web checkout SPECIFICALLY says they don't store your credit card information).  They weren't actually hacked--it sounds like the server was sort of unsecured.  Now, if you are aware of this, you didn't hear it from Knit Picks themselves.  Nope. You would have found out from someone else, most likely Ravelry.  That is because vigilant knitters finally found a security breach announcement on the California Attorney General's office, here:  https://www.privacyrights.org/node/55899

The California notice says that the breach was made public on February 11.  It was cross-posted to a group I'm in on Ravelry on February 15.  Knit Picks customers were notified by email or mail...........NEVER.  In spite of the fact that 46 states specifically require a breach that gets a customer name AND one other identifying piece of info, such as a credit card or bank account number, be notified ASAP, no one was emailed and according to a poll recently conducted on the Knit Picks Lover's group on Ravlery, as of this morning 160 people purchased during the supposed time frame (which seems to be a gross underestimation) but have not received a letter from Knit Picks.

Finally, after lots of angry emails and a pretty big pummeling on their FaceBook page (which Knit Picks initially chose to deal with by locking their page to other posters), Knit Picks FINALLY released a statement on February 17.  Not on the main page of their website, and CERTAINLY not in an email to their customers.  Nope, it was buried in their blog on their website and on their Facebook page.  Not ONCE has it appeared on their main web page, or in one of the EXTREMELY frequent emails customers get.  If you don't happen to follow their blog or FB page, you were screwed.

Now, from my reading, this lack of notification NOT ONLY probably breaks consumer protection laws in almost every state in the union, it's incredibly poor customer service.  When LinkedIn got hacked and passwords were exposed, everyone on it immediately received an email warning, even though I'm not sure that was required as it's a free site and I can't imagine what sensitive information could have been gained.  But, kudos for looking out for their members.  Ravelry was even hacked once, and again, all 2 million members heard about it immediately, and while I'm not sure what anyone could possibly gain from looking at my stash, I changed my password as they recommended.  Better safe than sorry, and I appreciate them looking out for me.  So the silence from Knit Picks, when almost every single knitter I know who has shopped with them in the last 2 years has been experiencing some sort of credit card fraud, some for several thousand dollars, is disappointing, to put it lightly.  Their notice buried on the blog tries to imply that it could be other companies that didn't come forward, but here's the deal:  the laws require notification, so unless a whole bunch of companies have chosen to violate consumer protection laws, that is unlikely.  It would also be statistically unlikely that the only group of people I know getting nailed with widespread credit card fraud this year are knitters if it was another company.  It is also extremely unlikely that if Knit Picks had actually mailed letters to their customers before their statement on February 17, it again seems statistically impossible that the poll conducted among a group of people who are self-proclaimed FANS of Knit Picks would show that there are 160+ people who bought during the time frame Knit Picks said were the customers affected and notified who HAVE NOT received a letter, and ZERO have.  I mean, snail mail might not be the fastest thing on the planet, but three weeks is sufficient time for a letter to take a few detours and still have been delivered.  I'm not sure there's anyone left in the knitting world who believes those letters were ever sent.

I've actually been a big fan of Knit Picks for probably about 10 years.  I was buying from their catalog before they even had their yarn line.  But, there is just no justification for how they have been behaving during this.  Luckily, while it looks like someone did try to do something to my personal card, Bank of America sent me a new card before I even knew what had happened, so I haven't had the problems others have been having.  That still doesn't change that Knit Picks could not possibly have handled this in a worse manner.  Had they emailed customers as soon as they discovered something was wrong--even if it said they weren't sure who was affected and who wasn't, but that customers should take proactive steps and put their cards on fraud alert just in case--I don't think anyone would be upset.  As knitters, we probably would have rallied to their side as one does NOT attack one of our own.  But the stonewalling, lack of communication, disregard for their customers, and denial is unforgivable.  I don't think they've even done what they were LEGALLY required to do, much less what they MORALLY should have done.  It's too bad, as I have liked their yarns, but I just can't do business with them again.  Doing business with a company on-line requires trust of that company, and after their handling of this, I know they no longer have mine.

26 comments:

  1. Agreed. I'm lucky enough that I haven't ordered from Knit Picks with my current credit card, but their handling of this security breach makes me not want to do business with them ever in the future.

    ReplyDelete
  2. Hmmm. BoA sent me a new credit card a while ago, but I didn't pay attention to why. I use PayPal on my Knit Picks orders, though, so it may have been because of another breach. :-(

    ReplyDelete
  3. I was caught in this horrible disaster and as you mentioned I haven't received any kind of notification from Knit Picks.

    I had to find out by my bank freezing my card and calling me to say that the information was stolen.

    As a result, my bank then made some mistakes on top of it that caused me to be completely without access to my [only] bank account for a month now (still waiting for my new debit card).

    It's been a horror story and I don't think I can trust knit picks again after this.

    ReplyDelete
  4. I had a couple breaches on two different cards within about a couple weeks of each other, but I can't say it originated with Knit Picks unless the information that was breached extended beyond the sensitive period they're claiming. Needless to say, I didn't receive a letter, even after they finally acknowledged that Canadian are entitled to receive one as well as the American customers. Thank goodness for the yarn diet. Although I like their product, the probability of me ordering from Knit Picks any time in the future is rather slim. I'm so disappointed in how they've handled themselves. I guess they figured that knitters deserve to have the wool pulled over their eyes.

    ReplyDelete
  5. Hmm. I haven't had any issues, but then it's been a while since I ordered anything from Knitpicks.

    However I do know why free sites notify- it's because some people reuse passwords, and if someone gets your email and password for one site, they might try it on others that have more potential for fiscal abuse.

    ReplyDelete
  6. THey certainly lost me for good with that debacle. I had their Superwash wool felt on me before too...

    ReplyDelete
  7. It's odd to have to be more pleased with one's bank than one's yarn store, but I too had my BANK tell me my card was compromised, not the on-line store who KNEW they were hacked. No more shopping there. You put it right, if they had handled this right we would have rallied behind them. As it is, nope, they're done.

    ReplyDelete
  8. I too am an extremely disappointed KP customer/fan. My card was used as a result of this as well and I learned from a kind knitter e-mailing me - not from KP - never received any contact from KP. At 11:00 p.m. that night, I was on the phone with my c.c. co. - learning someone had shopped at a computer store at my expense. My card was cancelled and another issued but, I too am disappointed and uncertain of future purchases even though I love their needles. I will never shop with them online again. So much damage could have been avoided if they'd let their customers know immediately. I can't fathom this degree of nonchalance - I'd really like an explanation. I'm guessing there isn't one.

    ReplyDelete
  9. Ah, so that's what happened! I have one credit card that I always use on-line in case of hacking. Citibank called to let me know someone from Sri Lanka bought a $50 pizza and was wondering if I was on vacation. Not! They credited then closed my account, and sent me a new card. Bummer too because I knew that number by heart. Thanks for letting me know, Toni! I've been slowly putting the new number out there but was figedty about it happening again so soon.

    ReplyDelete
  10. I've just stumbled across this. I was browsing Ravelry and they are still advertising Knitpics and have links up to purchase patterns from there! I didn't know there was an issue and clicked a link on Ravelry to purchase a pattern from Knitpics but got a message that their website had been disabled.

    ReplyDelete
  11. I, too, just learned of this on March 28. My account was compromised, and my bank caught it in time. They knew I didn't buy that "Air Asia" airline ticket, thank god.

    KnitPicks' 'new' website is now fraught with problems: email confirmation of orders does NOT happen -- a HUGE security issue in my mind. Customer support is absolutely useless. After ten email exchanges specifically asking for that document, not once was I told of the security breach, and I did purchase during their breach timeframe. I learned about it by accident (Ravelry) and have been on the warpath ever since.

    I've received ZERO email or snail mail from them on this issue, It absolutely flabbergasts me that KnitPicks and Crafts Americana can be so guarded for themselves and not give a rats ass about their paying customers!

    I, for one, will NEVER buy from them again. Ever.

    ReplyDelete
    Replies
    1. I agree because my credit card was hacked recently. .hmm

      Delete
  12. They are in violation of Oregon State laws with regard to notification of potential victims. http://www.leg.state.or.us/ors/646a.html

    ReplyDelete
  13. I just found out about this after a side comment someone made on Ravelry. I made a purchase during the window and after a call to my bank found out that someone did attempt to access my funds.

    I received zero notice of this breach and while attempting to find out more have come across multiple broken links to the CEO statement on the Knit Picks blog which no longer exists.

    I am furious.

    ReplyDelete
  14. I actually reported them to the Attorney General in Minnesota. They finally responded to them that fewer than 120 people in all of Minnesota were impacted and that I was not one of the 120. So a credit card I had only used on their site was stolen by aliens to purchase a dishwasher online shipping to another state. Hmmm.

    Will never ever do business with them again.

    ReplyDelete
  15. I was affected as well. This was a credit card that was ONLY used with Knit Picks. I emailed them twice for an explanation of why I wasn't informed. After several weeks, they responded that they had notified everyone and I was not one who had been affected. They lied.

    ReplyDelete
  16. My card was just compromised 10 days ago. Luckily I was called immediately by Capital One and they informed me that the site I had used it on was listed as compromised and they were sending me a new card. I don't think this fiasco is over by a long shot.

    I was also never notified by Knitpicks.

    ReplyDelete
  17. All this, along with the fact that the quality of so much of the merchandise has declined since they started out-sourcing to China. Strange business model.

    ReplyDelete
  18. interesting. I was just about to place an order from knit picks. now I wont.

    thanks for the post/information

    ReplyDelete
  19. I had two cards, debit and credit, compromised late in December, 2012, within a day of each other. My credit card company called me but I found through my bank when I went to use my debit card to pay for fuel and food. My last two purchases with both of those cards was Knit Picks. I didn't have either from the day after Christmas through New Years. Thank goodness I had cash. I love their Cotton Worsted (I'm allergic to wool) and Dishie but I will not order from them again.

    ReplyDelete
  20. Since your credit card is from Bank of America, you can take advantage of a free service called shopsafe which creates temporary credit card numbers which you can use instead of entering handing out your real number. It can be found on the lower right hand side of your current purchase itemization page. Say your purchase from KP will be for $12.50. Create a shopsafe card for $13 to cover it. Then your account can't be hacked.

    ReplyDelete
  21. I've been planning to buy stuff from Knit Picks for a while now, but hearing about this, I'm glad I never got around to ordering anything from them!

    ReplyDelete
  22. I'm glad to see this post is still up and active. Knit Picks lied throughout the hack, they lied about storing customer information, they broke countless laws about informing customers (please tell me SOMEONE has sued the pants off of them... please) and they never revealed the full extent of the hack (and don't seem as if they were really all that concerned about knowing).

    I bought during the supposed time frame and was totally compromised not only on the card I used then but for every card I ever used on their site. I never got an email, a letter - nothing but attitude when I emailed them to tell them to remove my account entirely. The only one they were concerned about in all of this was themselves. I vowed when this happened that I would never order from them again and I still stand by my vow. I mention this here and now because I have seen so many who were hurt by them go crawling back now that they have such a great sale going on. They do not deserve my business, they do not deserve anyone's business because they cannot be trusted. PERIOD. END OF STORY. NO TRUST = NO ORDERING.

    ReplyDelete
  23. Here it is a year later and this is the first I've heard of this. Admittedly I was out of the knitting world last year when this happened. But it does explain why I had fraudulent activity on my card around that time. Thankfully my CC company called me immediately and we dealt with it with minimal problems. I have always had mixed feelings about Knit Picks for some reason (unlike WEBS that I have a good feeling about). I have quite a bit of their yarn, but I don't think I will be buying more from them.

    ReplyDelete
  24. So this is what happened. Like the previous poster, this is the first time I'm hearing about this. I went to get gas and was told my card was declined for fraudulent activity. That was quite a shock. Fortunately USAA already pegged it as fraudulent as did the company with which the order was placed. I wasn't sure how it happened, but I'd recently placed an order on Knit Picks and I just had a feeling.

    ReplyDelete
  25. I heard about this back when it happened and then forgot for a while, and given the quality issues I've been hearing about with their yarn, I think I'm going to give them a miss from now on.

    I just wanted to say, though, that it's possible to hack a website in such a way that you can gather up credit-card numbers as they are used and processed. The site doesn't have to store the CC numbers. So it's possible, however unlikely, that KnitPicks told the truth about their credit-card number storage habits, at least.

    The problem is that they didn't even tell people they'd been hacked, much less how the hackers operated. So we'll never know for sure.

    ReplyDelete

Dear friends. Thank you so much for visiting my blog. If you are so nice as to come and visit my blog and leave comments for me and I do not respond, it would be because Blogger, in its infinite wisdom, has given me "noreply-comment@blogger.com.&quot as your return address; I have no idea why. But I DO appreciate your comments, even if Blogger doesn't.

:)