Quote:
Originally Posted by PandaSPUR
This. A lot of breaches go unnoticed until one of the credit reporting agencies, or the credit card companies notice that a bunch of people making fraudulent charge claims have made purchases at one common retailer.
At that point, the retailer gets notified and has a certain amount of time to investigate and remediate (usually hiring a third party consulting firm) as per PCI standards. They have to identify all affected customers, and then notify them AFTER they're confident they have all the names. At that point they also get fined based on how many card numbers were compromised.
Usually they're not allowed to, or are advised against, sending mass notifications that their site is breached immediately since that tips off the attackers as well and makes investigations harder.
|
Sums up most of what I wanted to say. It is possible that they'll still respond to a post or two now that the word is out, but there are legal obligations to sending notification to the affected customers first. As for snail mail versus email, in addition to possibly compromising any investigation, street addresses are generally more reliable. Fake email addresses and junk mail filters can get in the way. The credit card companies have a valid mailing address or PO box.