I've Been Mugged Blog

Earlier this week, a former coworker, Diane, shared with me the following breach notification she received via e-mail:

From: "Working Assets" <[email protected]>
Date: November 4, 2007 12:26:55 AM EDT
Subject: Important Notice: Security Breach

Dear Working Assets Customer,
We regret to inform you that the company we contract with to provide online services, Convio, has identified a breach of one of their internet security systems. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your Act For Change and Working For Change subscriptions were obtained by an unauthorized third party. Please note that the database holding account information related to Working Assets long distance, wireless and credit card accounts was not affected.

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

- Pay careful attention to emails you may receive requesting personal and financial information, and only provide it when you can confidently confirm that it has come from a trusted organization.

- Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords from the Act For Change and Working For Change website and subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your account.

Our vendor Convio has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions or concerns, please feel free to call (800) 788-0898 or to email [email protected].

Stephen Gunn
Vice President, Operations
Working Assets

While I like the social causes that Working Assets (WA) supports, I can't ignore the problems with this breach notification. First, the notification relies on a single channel: e-mail. Users often view e-mail breach notification as spam. While e-mail notification is definitely cheaper and faster than snail-mail notification, the savings and speed must be balanced against customers' trust. Better to inform identity-theft victims both by e-mail and snail-mail.

Second, the notification's content gives the impression that WA's goal is to avoid responsibility for the breach. Most of the e-mail letter covers what the consumer should do, and not what WA is doing. The letter does not explain what WA is doing to:

• prevent future data breaches by Working Assets and/or its subcontracts,
• closely monitor and demand data security upgrades by subcontractor (Convio),
• closely monitor other subcontractors it hires,
• offer credit monitoring and/or credit restoration to identity theft victims already affected

Moreover, WA's notification seems to be a copy with few changes to Convio's breach notification. This makes me wonder what value WA adds to their notification, if any. This notification also does not promote feelings of trust with WA.

Third, while WA's data breach didn't disclose any sensitive data (e.g., SS#, driver's license number, credit card number, banking account numbers), it did disclose the sign-in information (e.g., e-mail address and password pair) thieves could use to access sensitive data in Working Assets or other accounts. I doubt many consumers will see a difference between having their sign-in information stolen versus having their sensitive personal data stolen directly. The end result for identity-theft victims is the same: their sensitive data has been put at risk.

Fourth, the communication doesn't mention a WA web site for the ID-theft victim to obtain updates about the breach, answers to frequently asked questions, WA's data security, WA's investigation, Convio's data security, and Convio's investigation. This gives me the impression of a lax and somewhat disorganized response by WA to their data breach. (To the good, WA does provide a simple Security Notice page in its web site.) Basically, the e-mail notification seems to be one big, "we're sorry and best of luck to you" kiss-off.

I'd grade Working Assets' breach notification as a D- in terms of completeness and corporate responsibility. I wonder if the company has studied and learned from prior breaches and corporate responses, like the TJX debacle and Don Imus' blunder. WA customers should also learn more about security problems at Convio.