News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Sharon Machlis's picture
Sharon Machlis

Machlis Musings

More posts | Read bio

October 16, 2007 - 11:10 A.M.

Data breach anger

8 comments

My credit-card number MAY have been "compromised," Citibank Visa informs me by postal mail. The letter also includes new cards with a new account number. They're closing my old account in a couple of weeks. No, they won't tell me what vendor is involved, so I can decide whether I want to continue doing business with them. No, they won't tell me how much additional information about me might have been "compromised." No, they won't offer any assistance in contacting the places that direct bill my existing account each month. And no, nobody's offering me credit monitoring.

So yes, I'm angry.

I do feel entitled to know a wee bit more about what happened to my personal information, and who didn't adequately protect it. And someone ought to be chipping in here for credit monitoring and assistance in contacting the places that have and regularly use my account.

But as usual, it's consumers who have to use our precious free time to deal with someone else's screw-up.

We need national data breach consumer legislation. And it needs to include better disclosure and assistance to victims of data theft.

What People Are Saying

Add new comment

Oh yeah and another thing

Submitted by Anonymous on August 29, 2008 - 9:49 P.M.

Oh yeah and another thing when there is an account comprimise the only thing that "might" have been obtained is just the credit card number or debit card number, none of your personal information. When this happened, did you see any fraudulent charges come through, because of this? I didn;t think so. I would really appriciate if you did your research before leaving your comment.

Reply | Report this comment

I wanted to give a little

Submitted by Anonymous on August 29, 2008 - 9:41 P.M.

I wanted to give a little bit of information to put your mind at ease. One I work for Citibank. When there is an account comprimise as a credit card company we are not given the names of the merchants until it goes public. Visa and Mastercard international are the first to know, then the issuing bank. Once it goes public then we know who the merchants are. Most of the time the merchants don't give their names becuase as customers, you probably won't chop there again. In the begining we know just as much as you do. Don't get angry with the credit card company it"s not our fault.

Reply | Report this comment

Yes, we need national data

Submitted by Sharon Machlis on October 24, 2007 - 2:46 P.M.

Yes, we need national data breach legislation. Consumers have every right to know who didn't properly protect our information so we can make an informed decision as to whether we wish to continue doing business with them.

After further calls, it seems I'm one of the tens of millions of TJX credit theft victims. Which tells me the initial claim that they couldn't tell me who the vendor was, because of ongoing law enforcement investigations, was an out and out lie. The TJX story has been public for months. There's no reason why they couldn't tell me that last week.

And how am I feeling about this? Says the TJX Web site:

"We aren't able to specifically identify all of what we believe was stolen due to deletions of data in the ordinary course of business"

Warm & fuzzy feeling, that.

Reply | Report this comment

Well Sharon, you have every

Submitted by Lando on October 18, 2007 - 5:24 P.M.

Well Sharon, you have every RIGHT to be ticked off! 'Clearly' the problem is... someone who has access to your private (usually financial) data screwed up! We call this in the IT security world a 'no-brainer.'

I also find it not just amazing but bordering on criminal that a bunch of strangers that you have never met, and prolly never will, have more info about YOUR data than you do.

Of course you 'made a choice' to get a card open an account, or whatever. You also have the choice to cross a busy street because the traffic light turns green telling you that it's 'safe' to cross. So you cross, and someone just about plows into you, running a red light. That's your fault?

Oh I could go on of course, but until some companies start to 'get it'...

Reply | Report this comment

Sharon, It would not make

Submitted by Tom Fragala on October 17, 2007 - 7:52 P.M.

Sharon,

It would not make any sense whatsoever to offer you credit monitoring when you suffered EXISTING credit account fraud. Unless your SSN is compromised, credit monitoring would be useless. Thieves can't open new credit accounts in your name using an old, canceled credit card account number.

Existing credit card fraud is the least serious of identity theft issues. Your protections under statute and by policy are quite good. Although it must be acknowledged that canceling an account can be a big inconvenience, especially for your case where you have direct bills to your card.

Basically, the retailer is at fault and the card processors have the right to shut down their right to use credit cards under payment card industry standards--it is just highly unlikely to happen. The retailer, especially a large one, is a big source of revenue.

As much as we'd like to say "there should be a law", it is a hugely complicated issue. Which is why the CA Governor vetoed legislation to this effect this week.

Reply | Report this comment

Sharon, not to trivialize

Submitted by Anonymous on October 17, 2007 - 1:24 P.M.

Sharon, not to trivialize your inconvenience, but I have to agree with Anon 9:31 pm. And not to pour salt in, but YOU, not your credit card company, decided to set up direct bill payments. I'm sure it will be a hassle to get them changed, but it was YOUR decision.
Keep in mind that if your issuer reveals the source of the breach, they will likely get sued by that company for slander/libel or for breaching a NDA they have with that company. When businesses can't have faith in their NDA's with one another, our economy will stop dead in its tracks.

Reply | Report this comment

Quote: This looks to me like

Submitted by gph1stkid on October 17, 2007 - 12:32 P.M.

Quote:
This looks to me like you're jumping to conclusions, claiming to be damaged without evidence. So you're calling for national legislation -- to do what? Are you the victim?
Unquote.

Actually, what is needed is that the person/entity that loses the data should be identified.

Right now, with the current legislation, they (whomever they are) can continue doing whatever it is that they did. They have no incentive to FIX things.

Reply | Report this comment

You call for a solution

Submitted by Anonymous on October 16, 2007 - 8:31 P.M.

You call for a solution without articulating clearly what the problem is. You have been advised by your credit card provider that their data, an account number that they assigned to you, might have been used in a manner contrary to their expectations and therefore are issuing you a new account number. There is a limit on the amount of liability that you would carry in any case -- probably $50, but even that figure is pretty routinely waived if there's no reason to believe that your misuse of the number led to additional charges against your account.

Where is the damage? What is the risk?

You have no evidence whatsoever that any of your "personal information" has been compromised. The asset that could be damaged -- your account number -- has been protected through the implementation of an effective control, i.e., a new account number.

You're put out that no one offered you credit monitoring service. What, exactly, do you think you're going to get from a credit monitoring service? You'll get a report that shows when new credit accounts are being opened in your name. An attacker can't open a new credit account in your name by virtue of knowing your name and the account number of an existing credit card. What problem are you trying to mitigate?

This looks to me like you're jumping to conclusions, claiming to be damaged without evidence. So you're calling for national legislation -- to do what? Are you the victim? Looks to me like your bank, the owner of the account number assigned to you, is the damaged party in this case. They already are given plenty of incentive to fight fraud, and in fact do, as shown by their pre-emptive move to issue new account numbers.

Reply | Report this comment

Related Posts

Spam culture, part 3: Nigeria (and 419 scams)
Obama Drupal-ing around; whitehouse.gov goes open source
Spammer trick of the month: Delayed DNS
Eugene Kaspersky wants no net anonymity

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
Report: Microsoft may pay News Corp. to delist from Google
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.