Sunday, March 10, 2013

The Great Knit Picks Fiasco

As most of the knitting world knows by now, if you have purchased anything from Knit Picks in the past few years, your credit card might have been swiped and been receiving fraudulent charges in the past couple months (this in spite of the fact that their web checkout SPECIFICALLY says they don't store your credit card information).  They weren't actually hacked--it sounds like the server was sort of unsecured.  Now, if you are aware of this, you didn't hear it from Knit Picks themselves.  Nope. You would have found out from someone else, most likely Ravelry.  That is because vigilant knitters finally found a security breach announcement on the California Attorney General's office, here:  https://www.privacyrights.org/node/55899

The California notice says that the breach was made public on February 11.  It was cross-posted to a group I'm in on Ravelry on February 15.  Knit Picks customers were notified by email or mail...........NEVER.  In spite of the fact that 46 states specifically require a breach that gets a customer name AND one other identifying piece of info, such as a credit card or bank account number, be notified ASAP, no one was emailed and according to a poll recently conducted on the Knit Picks Lover's group on Ravlery, as of this morning 160 people purchased during the supposed time frame (which seems to be a gross underestimation) but have not received a letter from Knit Picks.

Finally, after lots of angry emails and a pretty big pummeling on their FaceBook page (which Knit Picks initially chose to deal with by locking their page to other posters), Knit Picks FINALLY released a statement on February 17.  Not on the main page of their website, and CERTAINLY not in an email to their customers.  Nope, it was buried in their blog on their website and on their Facebook page.  Not ONCE has it appeared on their main web page, or in one of the EXTREMELY frequent emails customers get.  If you don't happen to follow their blog or FB page, you were screwed.

Now, from my reading, this lack of notification NOT ONLY probably breaks consumer protection laws in almost every state in the union, it's incredibly poor customer service.  When LinkedIn got hacked and passwords were exposed, everyone on it immediately received an email warning, even though I'm not sure that was required as it's a free site and I can't imagine what sensitive information could have been gained.  But, kudos for looking out for their members.  Ravelry was even hacked once, and again, all 2 million members heard about it immediately, and while I'm not sure what anyone could possibly gain from looking at my stash, I changed my password as they recommended.  Better safe than sorry, and I appreciate them looking out for me.  So the silence from Knit Picks, when almost every single knitter I know who has shopped with them in the last 2 years has been experiencing some sort of credit card fraud, some for several thousand dollars, is disappointing, to put it lightly.  Their notice buried on the blog tries to imply that it could be other companies that didn't come forward, but here's the deal:  the laws require notification, so unless a whole bunch of companies have chosen to violate consumer protection laws, that is unlikely.  It would also be statistically unlikely that the only group of people I know getting nailed with widespread credit card fraud this year are knitters if it was another company.  It is also extremely unlikely that if Knit Picks had actually mailed letters to their customers before their statement on February 17, it again seems statistically impossible that the poll conducted among a group of people who are self-proclaimed FANS of Knit Picks would show that there are 160+ people who bought during the time frame Knit Picks said were the customers affected and notified who HAVE NOT received a letter, and ZERO have.  I mean, snail mail might not be the fastest thing on the planet, but three weeks is sufficient time for a letter to take a few detours and still have been delivered.  I'm not sure there's anyone left in the knitting world who believes those letters were ever sent.

I've actually been a big fan of Knit Picks for probably about 10 years.  I was buying from their catalog before they even had their yarn line.  But, there is just no justification for how they have been behaving during this.  Luckily, while it looks like someone did try to do something to my personal card, Bank of America sent me a new card before I even knew what had happened, so I haven't had the problems others have been having.  That still doesn't change that Knit Picks could not possibly have handled this in a worse manner.  Had they emailed customers as soon as they discovered something was wrong--even if it said they weren't sure who was affected and who wasn't, but that customers should take proactive steps and put their cards on fraud alert just in case--I don't think anyone would be upset.  As knitters, we probably would have rallied to their side as one does NOT attack one of our own.  But the stonewalling, lack of communication, disregard for their customers, and denial is unforgivable.  I don't think they've even done what they were LEGALLY required to do, much less what they MORALLY should have done.  It's too bad, as I have liked their yarns, but I just can't do business with them again.  Doing business with a company on-line requires trust of that company, and after their handling of this, I know they no longer have mine.

Today's Question For the Universe

How many times do you have to fail the

"prove you're not a robot" test

before you start to wonder?