Mon 23 Feb 2009
I get by with a little help from my friends
Posted by andyitguy under credit card, data breech, information security
[3] Comments
I need some help. I’m hoping that some of y’all who understand this a little better than I do can shed some light on this situation. Today I got an email alert from my bank telling me that a “card not present” transaction occurred on my bank card. The amount was small, I knew that I hadn’t done it so a red flag was immediately raised. I then called my wife to see if she had bought something online and she hadn’t. I searched my little brain to see if I could remember anything that I did over the weekend that may account for the charge but nothing came up. Next I called the number that was listed by the transaction and got a couple of busy signals and then a “this is not a working number” message. I called my bank and told them what Ii suspected and had a temporary lock put on my card.
I continued to try and call the company that had made the charge and finally got through and they explained that the charge was a mistake and that it would be corrected. When I asked them how this mistake happened I was told that they were a marketing firm and one of their “partner” marketing firms had sent them a database with customer info and it had mistakenly gone to accounting for billing instead of going to the marketing department for marketing. Obviously my next question was “why does marketing info include credit card info?” Of course she didn’t know because she is only customer service. I had one more question that needed answering. “Who was the company that sent the database?” Of course I didn’t get an answer to that either. They have partnerships with over 150 other firms and it could have been any of them.
I decided not to press it at this time because I’m on a bus full of people who don’t need to know my business and surely don’t want to hear me get upset with this nice customer service rep. So I’ve decided to wait until a better time to discuss this with them.
My question is what reason is there for one company to send a database with card info to another company for marketing purposes? Does anyone out there know? I also have a slew of other questions. How was the database sent? Via email? Was the database encrypted? Are the companies involved PCI compliant? Wait, that doesn’t really matter does it? How about this, are the companies involved practicing good security? Scratch that one also. Obviously at least one of them isn’t doing such a hot job of it. What about the company that received the database? Who there now has access to my card info? What is that company doing to secure my data now?
AS I mentioned I’m not through with this. I want to know who the company is that sent the data. I want to know how and why this happened. I want to know why they still have my card info on file and what their retention policy is. I want to know what they are doing to prevent this from happening again. I also want to know about disclosure. What are they going to do to protect me? I guess I know the answer to that one already. If anything they will give me a free year of credit monitoring. Yeee Ha!
I guess I’ll make my temporary hold a permanent cancellation and cancel my wifes card as well. Considering that with all the breaches of late (including the new one that hasn’t been “officially” announced) the card is probably compromised anyway. 
3 Responses to “ I get by with a little help from my friends ”
Trackbacks & Pingbacks:
-
[...] I get by with a little help from my friends – Andy ITGuy Protect your PIN! Protect your signature! But don’t mind us while we sell the information to all and sundry… [...]
Very interesting post Andy.
Obviously there has been some sort of issue here. I would not call it a breach as such because the information leaked into another part of the company and not out onto the Internet (as far as you know).
Of course, the partner that sent your information is sharing information that they really shouldn’t.
I guess the question is “what constitutes a breach?” and what can be done.
Afaik (me being from Africa) each of the States has its own privacy laws. Here, in South Africa, you have the right to demand to know exactly where the company got your information from. There is not much you can do with that information but you have the right to know.
I like to think in terms of processes – every process in a company (both IT and non-IT) needs information to happen. When more than that information is passed to a process that doesn’t need it – trouble is waiting to happen. A simple DLP solution would have prevented PCI information from being passed by the original company.
I am eagerly awaiting an update on this post, Andy.
Something tells me that no matter how much you as an individual screams they probably won’t tell you anything so I suggest that you switch tactics.
Back when I was in DC one of the news channels had an investigative reporter that took stories like this and investigated. Now I don’t watch local news down here in Atlanta but I bet that one of the stations does. Give them a call. I bet that this is one of those “common appeal” stories that touches everyone and they may just pick up on it.
If they say no then you’re no worse off than you were before.
Just a thought.