The Gift That Keeps On Giving (and I am not talking about the jelly of the month club)…
So, this past year has proven to be rather interesting in the information security area. Malicious code and personal data (read: credit card numbers) stolen abound. I would like to share with you a story of PII data compromise. This made those affected quite grumpy….particularly me.
Recently, RBS WorldPay sent out notifications of a data breach. You can read more about that here: http://www.rbslynk.com/ and here: http://www.reuters.com/article/idUS186079+23-Dec-2008+PRN20081223 These notifications stated that personal data was compromised and how it was going to be mitigated. In addition, the letter provided information on how to obtain one free year of credit monitoring at no cost. While the letter provided bad news, the company did everything right. However, there was some basic information lacking.
The letter provided no indication of which accounts were compromised other than saying “prepaid gift, rewards, or payroll card[s].” A simple listing of the last four digits of the account numbers affected would have been helpful. In fact, I had to Google around to figure out which of my accounts may have been affected…to this date, I think it is tied to an expired gift card issued from Citizen’s Bank…whoopee! After Googling, I found some information that indicated that a gift card given to me as a gift from a former employer might have been the culprit. Great!!! A parting gift that lead to the compromise of some data. Thanks! I am so glad I registered that card online to track how much was left on it.
Many of you may be wondering what data was compromised and how did that data become compromised if it was a gift card. Great questions. I wish I knew the answers. Let me hypothesize about what happened since the letter sent to me was lacking some information.
According to the letter, my name, address, telephone number, Social Security number, card account number, and PIN may have been compromised. Well, I remembering receiving this gift card (pre-paid MasterCard) several years ago. It had the option of registering online to track balance information. I signed up for this service. I do remember providing my name, address and maybe phone number. There is no way I provided a SSN or PIN. Heck, when I got it, I wondered if I go just go to an ATM and take the cash as I a few presidents spend easier than this thing. No luck with that, one of the provisions of the card stated that a PIN would not be issued. So, what did they get? They probably got my name, address, phone number, account number and expiration date. Really, this is not information that cannot be gleaned from Google…minus the account number an expiration date (I hope!). I pulled the gift card from my wallet only to find that it expired in 2007. If I remember correctly, I had a whopping $7.00 left on it. I really do not care. By the way, where’s my new card since there is still a balance on it? I am sure there is a cardholder provision that says, hey, if you don’t use the card for so many months, we are going to dock it until there is nothing left. This raises another question: Why was my data still on file for an expired gift card? No statements are provided. I cannot dispute anything, so why bother, especially if registering is optional.
So, what do we do from here? Well, companies need to do a better job of providing enough information to the end user to help ensure the security of their accounts. I still have no idea if the gift card mentioned about is the correct card. In fact, without reading some of the press releases online, I thought this was an elaborate phishing scam. I may take advantage of the free credit monitoring, but do I really want to provide more information to another third party? Not really.
Let me here your thoughts in the comments.