Consumer Receives Email Inquiry From Calgary Police About Stolen Credit Card

What would you do if you received an e-mail from a police department in another country claiming that your personal and financial information had been stolen? This happened last week to my friend, Beth (her name has been changed upon request). Beth lives in Boston received the e-mail message below:

From: Calgary Police Service
Date: Wed, Aug 3, 2011 at 4:31 PM
Subject: Police Inquiry - Identity information recovered

[Beth's personal information removed for security reasons.]

I am a constable with the Calgary Police Service (CPS) in Calgary, Alberta, Canada. The CPS recently executed a search warrant at a Calgary residence and one of the items seized was a sheet of paper bearing the personal information of 144 people; this information included credit cards, expiry dates, full names and addresses. The above information, accompanied by your e-mail address was listed. It is my intention to charge the suspect with unlawfully possessing credit card and identity information. In order to prosecute, I require confirmation that the above information is (or was) correct.

Your personal information appears to have been compromised. Therefore, I am recommending that you notify the bank that issued your credit card to have it cancelled immediately. I would also encourage you to contact your local credit reporting bureau and check to ensure that your personal information has not been used to obtain any other banking services or products.

This is a legitimate law enforcement inquiry and my credentials can be verified via the Calgary Police Service website at www.calgarypolice.ca. If you are unsure of the legitimacy of this e-mail, please present it to your local law enforcement agency, so they might assist in this investigation.

Cst. K Grier #4572
District 3 GIU
Break and Enter Detail
Calgary Police Service

First, I would like to thank Constable Grier and the CPS for catching and prosecuting identity-theft criminals. It is always good to see local law enforcement in action.

I spoke with Constable Grier about her e-mail. Since most of the identity-theft victims in this case were from other countries outside Canada, CPS notified banks and took the added step of notifying theft victims directly, when possible. Constable Grier suspected that the credit card information was either stolen from a website or accounts were hacked. Like all law enforcement, CPS appreciates the assistance the public and breach victims can provide.

This case has several implications. First, it highlights the fact that identity-theft criminals often commit other types of crimes -- in this case, burgulary. While pursuing a burgulary suspect, CPS discovered the credit card thefts. So prosecuting and jailing identity-theft criminals can also stop other crimes.

Second, this case highlights potential gaps in cross-border breach notification laws. While local law enforcement in another country may promptly notify breach victims' banks, my understanding is that there is no guarantee of data breach notice to U.S. citizens across country borders. I did some light reading and the current Red Flag Rules do not apply to breaches at bank branches located outside the USA (PDF document). Perhaps some legal scholars can expand and clarify on international laws regarding cross-border breach notification.

Third, it highlights the need for breach victims to take action. I am sure many readers want to know what to do should you receive an e-mail like the one above. Beth found this situation scary as she had never visited Calgary. She wondered if the above email was real or a scam.

Since there are so many online scams and phishing e-mail messages, I advise consumers to first verify the e-mail via an alternate method. By "alternate method" I mean an independent, different method than the format of the suspect message. Don't disclose any more personal information until you have verified that the message is real. Example: If the suspect message is an e-mail, don't press the "Reply" button. Instead, independently verify it via the phone (or an in-person visit to your local law enforcement). Example: if the suspect message is a phone call, independently verify it via e-mail or the Internet. Or, ask your local police department for help with verification of an inquiry from another police department.

In this case, verification was easy. I performed a Google search to independently find the CPS website, since I didn't want to rely on the contact information in the e-mail. At the CPS website, I found the main phone number for District 3, and called to verify that Grier is a Constable there.

I shared all of this with Beth, who started to feel better. Later she contacted Grier. The thief had stolen credit-card information for an account Beth had already closed a long time ago. While consumers may ignore the situation because credit-card theft liability is small and often limited to US $50, helping law enforcement is important. As this case highlighted, identity theives often commit other types of crimes. So, prosecution for identity theft can stop other types of crimes, too.

The Calgary Police Service Identity-theft page has advice for consumers to both avoid becoming identity-theft victims, and for identity-theft victims. If you are an identity-theft victim, CPS advises:

• File a report with your local police department and obtain a case number.
• Notify all creditors by phone and in writing about the crime.
• Keep a log of all your contacts.
• Use a credit bureau sample dispute letter.
• Look at the crime before & after the event to learn how it happened. This will often help to lead investigators to multiple crimes.
• Prepare to complete an ID Theft Affidavit.
• Learn as much as you can!!

Privacy Commission of Canada Investigates Online Dating Websites

In a report (PDF format) to the Canadian Parliament earlier this week, the Privacy Commission of Canada announced that it is investigating online data websites for privacy abuses. The investigation results from a complaint filed with the Privacy Commission office by a Canadian woman who attempted to delete her eHarmony account:

"A woman who had been a member of eHarmony complained to our Office that, upon ending her membership, she had asked eHarmony to delete her online account. Days later, she went online to check that her instructions had been carried out. She discovered, however, that she could still sign in and that the account contained all the personal information she had previously provided."

The woman then did what any of us would have done. She didn't give up. She contacted eHarmony again and requested that the company delete her profile. The company's response:

"... eHarmony replied that her account was now inaccessible to other members. However, eHarmony told her that it could not entirely delete her record of having joined, or remove her personal information."

The Privacy Commission investigated and found that while 40% of online dating users reactivate dormant accounts, a larger portion -- 60% -- do not. It's investigation of eHarmony also discovered:

"... that the option to “close” an account was not readily accessible on the eHarmony website. Nor was there a clear explanation of what eHarmony meant by that term."

The Privacy Commission suggested to eHarmony that it provide both profile "deactivation" and "deletion" options. And the difference between these two options should be cleared explained in the website privacy policy. Consumers should stay in control of their personal information. The company's response:

"... eHarmony confirmed that it had taken, or was in the process of taking, steps to address our concerns, including:
1. Establishing a two-year retention period for personal information that the site collects from the users of its service;
2. Providing a clear and efficient process for users to request removal of their personal information; and
3. Providing users with clear information about the difference between deactivating an account and deleting an account as well as information about how long eHarmony retains personal information."

The retention period is important because it introduces the risk of data breaches: when unauthorized people access consumers sensitive personal information. The Privacy Commission reviewed other online dating websites and found ths some lacked a privacy policy.

What should users of online dating services do to protect themselves and their sensitive personal information? The Privacy Commission advises consumers to:

1. Verify that the website has a privacy policy and read it before registering
2. The policy should use easy-to-understand language, and clearly state what personal information the website collects, how it is used, and how it will be safeguarded
3. Look for both account deactivation and deletion options. Look for definitions of any alternative words used "close," to determine if this is deactivation or deletion.
4. Look for a statement about how long the website retains your personal information, and if it anonymizes your information after that.

My take on this: if the website doesn't have a privacy policy, don't register with that website (or app). If the website has both a privacy policy and a terms of use policy, read both documents. If the documents are difficult to understand, don't register with that website. The documents should cover all of the devices you plan to use with the website. If there are different privacy policies for different mobile device, look for another dating service.

If the data retention period is longer than two years, skip that website and look for another service. If you are savvy about data anonymization, look for a definition of that. If you don't like what you read, don't register with that website.

As I think about it, the above consumer tips are good for any social networking website, and not just online dating websites.

Are you an online dating service user? What do you think?

Data Breach At Honda Canada Affects 283K Customers

Honda Canada announced that about 283,000 Canadian customers have been affected by a data breach at its myHonda and myAcura websites. The company had noticed unusually high website activity during February. The data stolen included names, addresses, and vehicle identificaton numbers. For some customers, financing account numbers were also stolen.

The customer data was collected by customer mail programs during 2009 to Honda and Acura automobile owners. Affected customers were notified in a letter dated May 13.

As data breaches go, this could have been much worse. The data stolen did not include birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, or social insurance numbers.However, the theft of vehicle identification numbers exposes breach victims to phishing attacks.

Also, this is not the first data breach at Honda. In 2010, about 2 million Honda customers in the United States were affected by data breach involving its Silverpop e-mail marketing vendor. The number of stolen records was later revised upwards to 4.9 million Honda customers. American Honda Motor Company provided this breach help site for its customers in the United States.

Yet Another Data Breach At Sony; Playstation Network Returns Online in Phases

Several news organizations reported that hackers attacked Sony Ericsson's Canadian eShop website. This latest Sony data breach affected only about 2,000 consumers. The Canadian eShop website provides accessories and support for phone customers. At press time, portions of the Canadian eShop website were unavailable.

The Canadian eShop breach is more bad news for Sony after massive data breaches at its Playstation Network and Online Entertainment units. Sony forecasts its breach-related costs in the United States at $171 million for the coming fiscal year ending March 2012, excluding any lawsuits.

On Tuesday last week, Sony disclosed a breach at its Sony Music Entertainment Greece website, which affected about 8,500 customers. Sony also disclosed that an unauthorized user had accessed and changed its Sony Music Indonesia website, and a hacker may have accessed its Thailand website to send e-mail spam.

On Friday May 27, Sony announced a phased restoration of service at its Playstation Network unit:

"... Sony Network Entertainment International (SNEI, the company) will begin a phased restoration of PlayStation®Network and Qriocity Services in Japan and Asian countries and regions including Taiwan, Singapore, Malaysia, Indonesia, and Thailand*1 on May 28. A new identity protection program will also be offered in conjunction with the phased restoration for PlayStation Network and Qriocity customers in Japan..."

How To Spot In Companies' Annual Filings Upcoming Trouble

Canadian Business Online reported the results of an interesting study:

"The study, by University of Notre Dame business professors Tim Loughran and Bill McDonald, reveals that certain innocuous-sounding phrases such as “related party transaction” and “unbilled receivables” that appear in corporate filings could signal fraud or, at the very least, problems with the business."

The researchers analyzed more than 50,000 10-K filings, documents publicly=traded companies file every year with the U.S. Securities and Exchange Commission. Phrases the researcher found as worrisome:

"The phrase that popped up the most was “related party transactions,” which appeared in 16,524 reports. The term, which means a deal between two parties who have a prior relationship, is worrisome... as it “could be an indication that a board of directors is not independent.” The study found that the more the phrase appears, the greater the company’s volatility in the following year..."

And:

"... the more companies used the words “materially and adversely affected,” which usually refers to a negative event affecting earnings, the more the stock value dropped after the report was submitted to the SEC. Another term to watch for is “unbilled receivables.” The study reveals that the more times that term is used, “the more likely it is that someone will subsequently file a class action lawsuit against the company.”

The results of this study sound like advice consumers could use for both investing decisions and for employment search decisions.

Canadian Commissioner Says Facebook Has 'Privacy Gaps"

From time to time, I've written about Facebook due to its privacy and potential data breach risks. Canada.com reported:

"Canada's privacy commissioner on Thursday ruled that Facebook is in violation of the country's privacy law, citing "serious privacy gaps" in the way the popular social networking site treats its 12 million Canadian users. And if the California-based company doesn't comply with Jennifer Stoddart's directives within 30 days, Facebook will likely be hauled to Federal Court to face a judge with the power to order the company to implement the recommendations."

About 12 million Canadians use Facebook. The probe found four problems:

"In addition to an "overarching" concern relating to the "confusing" or "incomplete" way in which Facebook provides information to users about its privacy practices, the report concluded Facebook's policy to keep indefinitely the personal information of people who have deactivated their accounts is a violation of the privacy law. But the biggest sticking point has to do with the practice of sharing users' personal information with third-party developers that create Facebook applications, such as games and quizzes."

Experts estimate that there are maybe a million Facebook application developers scattered across 180 countries. I'd have to agree. When you launch an application like a quiz, it is unclear exactly what information is or will be shared and specifically to whom. For this reason, I don't use Facebook applications.

Quite predictably:

"... Chris Kelly, Facebook's chief privacy officer, said the site is continually refining its privacy controls and "certainly, we think that our approach right now is compliant with Canadian law... The probe began last year after the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa filed an 11-part complaint, alleging Facebook violated key provisions of Canada's Personal Information Protection and Electronic Documents Act, the country's private-sector privacy law."

David Fewer, acting director of the University of Ottawa law clinic that filed the complaint, said this about Facebook's third-party applications:

"This is black-letter law they're applying here... Facebook can't say the law is wrong here, or is being misinterpreted. Instead, what they need to do is go back and re-engineer how they do third-party apps. I think they rolled out third-party apps out without figuring privacy obligations into the design. There was a fork in the road early on in the design. They went left and they needed to go right. And left is where the money tree is..."

For these reasons, I don't use thrid-party applications at Facebook. It's imply impossible to tell exactly what data a consumer is releasing, who the application developer is (e.g., some are more trustworthy than others), and what other companies that application developer will share consumers' personal data with. Regardless of Facebook's new privacy policy, the site seems intent on operating with an opt-out-driven ad system which places far too much burden on consumers to constantly monitor their privacy settings to ensure that Facebook hasn't started some new program that harvests and syndicates personal data.

Fraud And Scam Warnings To Consumers From the Better Business Bureau

A couple warnings to consumers so you don't get "mugged," become a fraud victim, or pay more than you have to. First, the BBB advises consumers to read the fine print at online social media sites, especially Facebook, since:

"... the large print doesn’t always tell the whole story... in January, BBB issued a warning to consumers about online ads and Web sites that use Oprah’s name to sell acai berry supplements as weight-loss miracles... these ads are still common on Facebook and MySpace and link to fake blogs such as www.jennylosesweight.com that are designed to look like testimonials of women who lost weight on the acai supplements... The phony blogs link to Web sites that offer a free trial of an acai supplement, and while the customer may think they only have to pay shipping, they could get billed as much as $87.13 every month if they don’t cancel before the trial period ends."

Another scam consumers should be aware of:

"There are many ads on Facebook that advertise ways to make easy money from home... the ads link to blogs that were supposedly created by people who made money through a work-at-home program. One such blog written by a “Sarah Roberts” claims that she added “$67,000 a year to my family’s income working 10 hours a week... The blogs direct readers to Web sites for programs such as Internet Money Machine and Easy Google Cash where they can sign up for a seven-day trial access to information on how to make money from home. While the free trial supposedly only costs $1.95-$2.95, the individual will be charged $69.90 every month..."

Be sure to follow the above link to learn about more scams. Second, the BBB warns consumers about automated phone calls offering lower credit card interest rates:

"Consumers across the U.S. and Canada are sounding off to Better Business Bureaus about incessant automated telemarketing calls promising to lower interest rates on their credit cards. Not only are the calls a nuisance and violate U.S. and Canadian Do-Not-Call laws, but some companies behind the calls are ripping off consumers by charging large up-front fees to negotiate lower interest rates with credit card companies — something consumers can do on their own for free... After the initial recorded message, consumers must dial another number to be connected to a live person. The live “operator” usually starts the sales pitch by asking for the consumer’s credit card number and whether the consumer is interested in lowering their interest rates. From there, callers begin closing the sale, asking if the consumer is willing to pay – usually from $700 to $1,000 - to have their firm contact the credit card company and negotiate lower rates."

About telephone offers, the BBB advises consumers to:

"Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. Always research the company first by reviewing its Reliability Report at www.bbb.org.; When considering any company offering any type of financial assistance, insist on getting a contract in which all terms and conditions are clearly explained before signing up or providing credit card or other payment information; U.S. consumers can place their home phone number on the federal Do Not Call list by visiting www.donotcall.gov. If the consumer’s number is already on the list but continues to receive telemarketing calls—or is receiving robocalls on a cell phone—he or she can use the same Web site to report the incident to the FTC. Canadian consumers can learn more at www.lnnte-dncl.gc.ca.

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.