In a great piece of original reporting by Gripe Line Blogger Ed Foster, at least one of the banks whose customers were affected by the CardSystems security breach doesn’t feel it had any obligation to notify its customers.
I’ve previously covered the CardSystems security problems, and noted several times here and on the radio, that the main reason we’re learning about these privacy breaches is because of new laws — such as one in California — that requires companies to notify consumers whose private information has been compromised. These laws are a common sense requirement, allowing consumers to have the information they need to be on higher alert for evidence of identity theft.
But as Ed Foster reports, the folks at Chase Manhattan Bank think the law is open to interpretation and don’t think its customers need to know about the risks they face:
“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”
As Foster notes, many other financial institutions are taking a different approach, believing that their customers might appreciate knowing when trouble might be around the corner. And, as previously noted, at least one state attorney general has decided that a failure to provide timely notice to consumers was a crime.
If your bank hasn’t notified you about any privacy risk to your credit card, it might be worth giving their customer service department a call to see if they can tell you definitively whether your card was at risk. If they don’t know or refuse to tell you, this might be a good opportunity close your account, cut up your card, and consider reducing your risk by finding a bank that cares more about you.
Credit card processing vendor CardSystems Solutions is facing increasing scrutiny of its practices as consumers and lawmakers begin to demand an answer to how 40 million credit card transaction records were stolen from the company’s data banks.
As details about the breach begin to be made public, it’s clear that — once again — the problem is rooted in deep, systemic problems. In a story credited to the New York Times, CardSystems Solutions’ CEO John M. Perry said the data was being kept in a separate file for “research purposes” in violation of company policy. But the deeper problem was a security breach on the company’s computer network that allowed a hacker to install a “logging” program that gathered data and transmitted it to the hacker.
Unfortunately, the circumstances that led to the theft of 40 million credit card records from CardSystems is hardly a unique occurrence. Just ask Eli Lilly.
Our investigation revealed, as the FTC has publicly stated, that:
On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers’ e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27th e-mail message included all of the recipients’ e-mail addresses within the “To:” line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.
As our investigation turned up, Lilly had extensive and well-documented procedures for developing and testing of such computer programs before being put into production — procedures which were apparently ignored. In its settlement with the FTC in early 2002, Lilly agreed to implement a more vigorous security monitoring and compliance program, to properly train staff on adhering to the tenets of that program, conduct annual audits of its systems, and to be subject to FTC review for a period of 20 years!
Over the last few years, the FTC has continued to investigate privacy and security breaches. In cases like last week’s B.J.’s Wholesale, Tower Records, Guess.com, and Microsoft’s Passport, the company’s privacy and security practices were compared to their privacy promises and found lacking.
In most of these cases, it’s clear that the companies thought they were being up-standing and responsible companies. Yet as the investigations turned up, their vague platitudes about privacy and security protection didn’t stand up to scrutiny. For example, Tower Records’ claim of using “state-of-the-art technology to safeguard your personal information” didn’t square with the fact that the company’s network administrators hadn’t applied available security patches for known vulnerabilities on its web servers.
As the CardSystems debacle plays out, I think what we’ll learn is that CardSystems’ screw-ups aren’t at all new or unique. Rather, they are part of an ongoing and systemic problem across corporate America, and are a direct result of the lackadaisical attitude of many companies towards the protection of consumer data in their care.
Until stronger laws give harmed-parties real tools for holding companies accountable for such breaches, there will be little incentive for companies to take privacy and security more seriously.
According to an AFP report (which I first read at Huffington Post), MasterCard has announced that a security breach at one of its third-party processing firms has placed upwards of 40 million consumers at increased risk for credit card fraud.
One analyst quoted by CNet’s News.com said this was a big one.
“In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.
Because the processor, Arizona-based CardSystems Solutions, processes cards for many firms, more than MasterCard customers are at risk. Indeed, only 13.9 million of the transaction records exposed involved MasterCard-branded cards.
As always, people need to review their credit card statements, looking carefully for anything out of the ordinary. Under U.S. federal law, your liability is capped at $50.00 for unauthorized charges, and many credit card firms will even waive the $50. And if you suspect your card may have been compromised, call the number on the back of your card and ask them for a new account number. They’ll usually get you a new card in just a few days. (And don’t forget to switch over any recurring billings you might have set up!)