Complaint resolution service publishes case studies, recall information and consumer news.

TJX, which owns retailers TJ Maxx, Marshalls, Home Goods and AJ Wright, has reported a data breach and says that transaction data from 2003 and 2006 was stolen.

“Unfortunately, the public is becoming used to data breaches,” said Consumer Help Web President Joan Bounacos. “This one is more serious than a company simply missing data,” she added. “The company admits that the data was stolen, yet strangely has not offered free credit monitoring to its customers for that time.”

TJX has established a toll free customer help line. Callers from the United States may reach the help line at (866) 484-6978.

Posted under Privacy

AT&T Inc. today said that unauthorized persons illegally hacked into a computer system and accessed personal data, including credit card information, from several thousand customers who purchased DSL equipment through the company’s online Web store.

The unauthorized electronic access took place over the weekend, was discovered within hours and the online store was shut down immediately. AT&T also quickly notified the major credit card companies whose customer accounts were involved. The company is now working with law enforcement.

Customer notifications are ongoing by email, phone and letter to fewer than 19,000 customers. In addition to notifying those customers who were affected, the company will pay for credit monitoring services to assist in protecting the customers involved.

“We recognize that there is an active market for illegally obtained personal information. We are committed to both protecting our customers’ privacy and to weeding out and punishing the violators,” said Priscilla Hill-Ardoin, chief privacy officer for AT&T. “We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted. We will work closely with law enforcement to bring these data thieves to account.”

Customers who have been affected have been provided with a toll-free number to call for more information.

Posted under Privacy

The names, social security numbers and other personally identifying information for 196,000 Hewlett-Packard employees were stored on a laptop stolen from one of the company’s vendors, sources recently revealed.

The stolen computer belonged to finance giant Fidelity Investments. A spokesperson for that firm has been protesting for weeks that the information was not intended to be on a portable device. The company is offering limited credit monitoring services as a result of the data breach.

Posted under Privacy

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

This is the ninth FTC case targeting companies whose security practices compromised consumers’ confidential financial information, and the first the Commission has brought against a credit card processor.

“CardSystems kept information it had no reason to keep and then stored it in a way that put consumers’ financial information at risk,” said Deborah Platt Majoras, Chairman of the FTC. “Any company that keeps sensitive consumer information must take steps to ensure that the data is held in a secure manner.”

According to the FTC, CardSystems provided merchants with products and services used in “authorization processing” – obtaining approval for credit and debit card purchases from the banks that issued the cards. Last year, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants. In processing these transactions, CardSystems collected personal information from the magnetic strip of the card, including the card number, expiration date, and other data. CardSystems then stored this information on its computer network. Pay By Touch acquired CardSystems’ assets in December 2005, and now processes transactions for the same merchants CardSystems served.

The FTC charged that CardSystems engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. Specifically, the agency alleges that CardSystems:

* created unnecessary risks to the information by storing it;
* did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including “Structured Query Language” injection attacks;
* did not implement simple, low-cost, and readily available defenses to such attacks;
* did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
* did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and
* failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.

According to the FTC’s complaint, these practices compromised millions of credit and debit cards, and led to millions of dollars in fraudulent purchases. In addition, after the fraud was discovered, banks cancelled and re-issued thousands of credit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards.

The proposed settlement requires CardSystems and Pay By Touch to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires them to obtain – every two years for the next 20 years – an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions.

This case is similar to prior FTC actions involving alleged failures to secure credit and debit card information. As in the prior cases, CardSystems faces potential liability in the millions of dollars under bank procedures and in private litigation for losses related to the breach.

Posted under Customer Service

After a serious data breach last year that prompted U.S. Senate scrutiny and international media attention, data broker ChoicePoint has settled charges with the U.S. Federal Trade Commision, resulting in a hit to earnings for the publicly traded company.

According to the FTC, ChoicePoint acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised and will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.

“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.

The FTC alleges that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” Indeed, the FTC alleges that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.
According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.

The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.

The agency also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies. Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”

The stipulated final judgment and order requires ChoicePoint to pay $10 million in civil penalties – the largest civil penalty in FTC history – and to provide $5 million for consumer redress. It bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose. ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.

The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act.

Posted under Privacy

Marriott’s time-share division admitted this week that it could not find personal consumer information, including Social Security Numbers, for more than 200,000 consumers. The company said in a statement that the records may simply be “lost”, but could not rule out theft.

We regret this situation has occurred and realize this may cause concern for our associates and customers,” said Stephen P. Weisz, MVCI president. “We have recently mailed notifications to associates, timeshare owners and timeshare customers and are available to answer any questions they may have.”

Consumer advocates, meanwhile, continue to express concern over the millions of cases of identity theft occcuring each year, many of which can be traced back to data breaches. “Organizations that handle sensitive consumer data must be held accountable for any use of that data,” said Consumer Help Web President Joan Bounacos. “We encourage Congress to enact severe penalties for organizations who breach consumer trust by losing personal data and endangering consumer credit and other records.”

Privacy expert Robert Douglas echoed Bounacos’ comments on his web site, PrivacyToday.com, reporting that he had told The Washington Post, “For the longest time, people have said it’s the consumers’ fault. They don’t shred their bank statements at home, or what have you. But since the California law was passed now we are learning how much of this information has been breached and is floating around out there.”

Marriott joins multiple corporations who have reported data breaches this year, including ChoicePoint and LexisNexis.

Posted under Privacy

Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. According to the FTC, DSW’s data-security failure allowed hackers to gain access to the sensitive credit card, debit card, and checking account information of more than 1.4 million customers. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.

Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, DSW generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.

According to the FTC’s complaint, DSW uses computer networks to obtain authorization for credit card, debit card, and check purchases at its stores and to track inventory. For credit and debit card purchases, DSW collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. This magnetic stripe information is particularly sensitive because it contains a security code that can be used to create counterfeit cards that appear genuine in the authorization process. For check purchases, DSW collects information such as routing number, account number, check number, and the consumer’s driver’s license number and state. In each case, the information was wirelessly transmitted to a computer network located in the store, and from there was sent to the appropriate bank or check processor.

The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:

• created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
• failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
• stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
• failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
• failed to employ sufficient measures to detect unauthorized access.

The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers.

According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million.

The FTC alleges that DSW’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires DSW to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order. DSW also will be subject to standard record keeping and reporting provisions to allow the FTC to monitor compliance.

This is the FTC’s seventh case challenging faulty data security practices by retailers and oth

Posted under Customer Service, Privacy

Visa and American Express have announced their intention to stop working with CardSystem Solutions, the data processor under fire for its announcement last month that 40 million credit card records had been hacked from its databases.

John Perry, CardSystems’ President and CEO, sounded a warning when he announced the impending defection of two of the company’s largest customers. “If Visa and American Express do not reconsider, the effect of their decision on thousands of our merchants is likely to be significant and could disrupt the operation of their payment card system,” Perry said in a statement. “Many of those merchants will need to find a new payment processor, obtain new software, and retrain their employees on a new software system.”

MasterCard, meanwhile, has required that Cardystems submit a detailed data security compliance plan by August 31, 2005.

Posted under Finance, Privacy

Media outlets have been reporting for 15 days that the Federal Deposit Insurance Corporation has notified thousands of employees that the organizations personal data records had been breached, and fraud had resulted from that breach. The news was first reported in the June 16 issue of The Washington Post.

Government Computer News, which obtained a copy of the letter reported on by the Post, said that employees were told that among the information obtained was “name, date of birth, salary, Social Security number and length of service.” The letter also reportedly said that the breach occurred in 2004.

Since the organization’s breach was made public, no official statements have been made, even after two weeks. Various media sources alternately report basic acknowledgments of the breach or referrals to the Federal Bureau of Investigation. Despite part of the FDIC’s mandate calling for “…identifying, monitoring and addressing risks to the deposit insurance funds…”, the organization has been unacceptably silent on this matter.

Consumer Help Web will report at this site any information the FDIC eventually shares about their own data woes.

Posted under Privacy

BJ’s Wholesale Club, Inc. has agreed to settle Federal Trade Commission charges that its failure to take appropriate security measures to protect the sensitive information of thousands of its customers was an unfair practice that violated federal law. According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

Natick, Massachusetts-based BJ’s operates 150 warehouse stores and 78 gas stations in 16 states in the Eastern United States. Approximately 8 million consumers are currently members, with net sales totaling about $6.6 billion in 2003.

“Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”

According to the FTC’s complaint, BJ’s uses a computer network to obtain bank authorization for credit and debit card purchases and to track inventory. For credit and debit card purchases at its stores, BJ’s collects information, such as name, card number, and expiration date, from the magnetic stripe on the back of the cards. The information is sent from the computer network in the store to BJ’s central datacenter computer network and from there through outside computer networks to the bank that issued the card.

The FTC charged that BJ’s engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ’s:

• Failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores;
• Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
• Stored the information in files that could be accessed using commonly known default user IDs and passwords;
• Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
• Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

The FTC’s complaint charges that the fraudulent purchases were made using counterfeit copies of credit and debit cards used at BJ’s stores, and that the counterfeit cards contained the same personal information BJ’s had collected from the magnetic stripes of the cards. After the fraud was discovered, banks cancelled and re-issued thousands of credit and debit cards, and consumers experienced inconvenience, worry, and time loss dealing with the affected cards.

Since then, banks and credit unions have filed lawsuits against BJ’s and pursued bank procedures seeking the return millions of dollars in fraudulent purchases and operating expenses. According to BJ’s SEC filings, as of May 2005, the amount of outstanding claims was approximately $13 million.

The FTC alleges that BJ’s failure to secure customers’ sensitive information was an unfair practice because it caused substantial injury that was not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. The settlement requires BJ’s to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. The settlement also requires BJ’s to obtain an audit from a qualified, independent, third-party professional that its security program meets the standards of the order, and to comply with standard book keeping and record keeping provisions.

The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through July 16, 2005, after which the Commission will decide whether to make it final.

Posted under Privacy