DSW Releases Findings From Fraud Investigation

The theft was previously reported in a March 8, 2005 press release. The data stolen was purchase information from DSW customers who shopped at certain DSW stores primarily between mid-November 2004 and mid- February 2005. The key facts reported below were just verified in the forensic investigation by one of the nations leading computer security firms. Contrary to published reports, DSW has not previously estimated the amount of data stolen. The key facts as known today are: * Information from 108 stores was stolen (for a list of stores, go to http://www.DSWShoe.com ). The number of stores was initially thought to be 103. * Transaction information involving 1.4 million credit cards was obtained. For each card, the stolen information included credit or debit card number, name and transaction amount. Neither addresses nor any other information from the credit card users was stolen, as it was not provided at the point of purchase and, therefore, not stored. (No PIN numbers were among the stolen data.) * Transaction information involving 96,000 checks was stolen. In these cases, checking account numbers and drivers license numbers were obtained. Importantly, customer names, addresses and Social Security numbers were not obtained. * Customer information provided through the DSW proprietary Reward Your Style Program or via DSWs Web site ( http://www.DSWShoe.com ) was not accessed or stolen. What the company has done: * Within 24 hours of discovery of the theft, contacted federal law enforcement authorities (the United States Attorneys Office and the U.S. Secret Service). These authorities continue to investigate this crime. DSW is providing all requested assistance and working with the authorities to pursue those responsible for this crime and, if apprehended, prosecuting to the fullest extent of the law. * Within 24 hours of discovery of the theft, contacted and brought in a leading computer security firm, Ubizen (owned by a company named Cybertrust Inc.) to begin a forensic investigation. The security firm has confirmed that DSW has taken appropriate steps since the incident to prevent any further data theft. * Within 24 hours of discovery of the theft, notified cardholder associations (VISA, MasterCard, Discover and American Express). * Promptly issued a press release alert and posted a customer alert, as well as information and links pertaining to security issues and the theft of personal information, on http://www.DSWShoe.com . * Provided the stolen credit and debit card numbers to American Express, Discover, VISA and MasterCard. VISA and MasterCard provided these card numbers to the issuing banks and American Express and Discover implemented their standard procedures to monitor the cards at risk. Again, the addresses of customers who used credit cards were not taken. With additional effort, DSW was able to obtain contact information for approximately half of the affected credit card customers and is in the process of sending notification letters to each of these customers. The letter advises customers to contact their credit card company or issuing bank for further instructions, and directs customers to other helpful resources. * With respect to checking account information, neither the name nor address of customers paying by check is recorded at the time of the purchase. Therefore, additional research was required to determine a way to provide notice, but DSW has now gathered names and addresses for approximately 88 p