Previous month:
November 2007
Next month:
January 2008

26 posts from December 2007

Happy Holidays!

First, I'd like to welcome all of the new readers to I've Been Mugged. If you want to know more about why I started this blog, read the first post.

Second, I'd like to wish everyone an enjoyable and safe Christmas, holiday season, and happy New Year! If you live in a cold climate and like to snow sculptures, then this Calvin & Hobbes comic strip is definitely worth a read. Enjoy!

I am going to take a break and enjoy the holidays with family. Posts will resume on Wednesday January 2, 2008.

In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.

Is Twitter Really Dangerous?

At ZDNet's IT Project Failures blog, there is a good discussion about whether or not Twitter is dangerous. I can see why corporate IT professionals probably view Twitter as dangerous, since it is another (new) way in which sensitive company data can easily be divulged by employees. To me, Twitter is no different than other computing technologies (e.g., instant messaging, e-mail, flash drives, etc.) which employees can use properly or abuse (e.g., share sensitive company data with people who shouldn't access to that data).

Companies exist by meeting the needs of their customers. If their customers use Twitter, then the company should use it, too. It is always wise to, "fish where the fish are" -- for companies to communicate with their customers based on their customers' communication preference. If their customers use Twitter, then it's the wise company that Twitters to read what their customers are saying about their brand.

Regarding data security, the bigger issue is corporate training. Several readers of the IT Project Failures post have correctly commented that since employees have signed confidentiality agreements, this should be a protection. I agree: should be. There's a big difference between signing a confidentiality agreement on day one of their employment vs. complying with agreement years later as new technologies emerge.

I see no problem with students or home users who Twitter. Just like home computer users need to learn good data security habits to protect their identity data, corporate employees need to be trained on data security threats and how to practice good data security habits at work. The large number of data breaches involving laptops is one indicator that many employees don't practice good data security habits. And, that employee training should include new technologies like Twitter for both corporate employees and corporate IT staff.

Since this blog is about identity theft and corporate responsibility, I write mostly about consumers, who are either employees or former employees affected by corporate data breaches. I can think of several good applications where Twitter is appropriate and beneficial. For example, an activist blogger can use twitter to highlight or to document their experience or a problem. Another example: a company can use Twitter as another method for customers to interact with its brands. Twitter isn't for everyone as this Twitter 101 post and Matt Dickman's video explain.

What's dangerous are companies that don't enforce effective data security policies and processes... when a company loses backup data tapes, or when databases become corrupted. What's dangerous are employees that don't enforce good data security habits.

I don't see Twitter as a problem since there are so many other ways companies lose thousands of employee and customer records during data breaches. What's dangerous are companies that suffer repeated data breaches. What's dangerous are companies that don't inform identity theft victims promptly of the data breach. What's dangerous are companies that offer free credit monitoring services to ID-theft victims, while that offer duration doesn't match the risk period created by the company's data breach.

Visa Fines Ohio Bank $880 Thousand

[Author's note: title has been corrected and "Million" replaced with to "Thousand."]

From the Boston Globe newspaper:

"Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows."

This news story is interesting because banks, retailers, and credit-card firms (e.g., Visa and MasterCard) have recently fought about data security issues and who pays the costs when credit cards must be re-issued to consumers after a retailer's data breach:

"Visa had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements."

What makes these fines even more interesting:

"Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic... That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX..."

What caught my attention in this news story was a certain computing company mentioned:

"Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards."

Reportedly, Fifth Third was the fifth-largest processor of bank card transactions for merchants. That's about 2.5 billion bank credit card and debit transactions worth about $137 billion in 2006. Fifth Third operates more than 1,150 bank branches in the Midwest and Florida.

TJX Settles With New England Banks

According to the Boston Globe newspaper, TJX Companies has agreed with several New England banks to:

"... settle a high-profile lawsuit over payment card security practices in the wake of the record-setting data breach at the Framingham retailer that compromised up to 100 million accounts. TJX, the parent of discount retail chains including TJ Maxx and Marshalls, will pay community banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses."

Terms of the settlement were disclosed, but the newspaper added:

"...the deal won't add to the $256 million TJX previously had budgeted to deal with the breach, a spokeswoman said yesterday."

The TJX debacle is far from over:

"TJX still faces claims from an Alabama bank and probes by federal and state officials. Mary Monahan, partner at Javelin Strategy & Research in California, said the deal is a relative win for TJX and no surprise after a decision by a federal district court judge made it harder for the banks to join together to sue TJX as a lass."

If you follow this saga closely, you'll notice that TJX has given cash to everyone except to those that matter most... its customers. TJX has paid off Visa, its lawyers, and now some of the banks -- all with cash. TJX offered checks to a few customers, but most received vouchers to shop at the store. This is not a customer-friendly response to the victims of the TJX data breach, regardless of how appealing its holiday TV commercials might be.

Want to learn more? Read the TJX section of this blog and BusinessWeek. Me? I'm off to Target and Best Buy to finish my holiday shopping.

Capital One: What's In Your Database?

This is news I really didn't want to read just before the Christmas holiday.

In the TechRepublic Programming and Development blog, Justin James recently reported on some pretty scary stuff about Capital One Bank. This caught my eye since I am also a customer:

"A few weeks ago, I received a paper bill from Capitol One instead of the usual e-mail notifying me that my statement was posted online. When I went to pay my bill, I didn’t notice anything unusual — although, in retrospect, I should have. I paid my bill a few days before the due date and went on my merry way. This Saturday (after the due date), I received a letter in the mail informing me that my payment was rejected due to an invalid bank account number used for payment. Huh? My checking account has not changed in well over five years."

Apparently, Capital One's database had become corrupted. Capital One was trying to use an obsolete and 5-year-old checking account number Justin had closed long ago. That Capital One was using this obsolete checking account number when he knew the company had his current checking account number, was a clear signal that Capital One's database was severely corrupted... and that the company was unable to restore the database properly from any backup files. Not good. Not good at all.

Justin's blog post was quite unsettling as I haven't heard anything about this in the news. As Justin wrote:

"Data corruption is the silent killer of databases and the source (and often the result of) security breaches, system failures, and programming mistakes. I hit the panic button, big time."

If this database corruption is due to a data breach, I expect Capital One to have notified me promptly. I live in a state where breach notification is mandatory. So far, I haven't received any notices from Capital One. Justin has summarized well Capital One's poor customer service:

"Capitol One committed more than one of the top 10 “thou shall not’s” in IT with this incident.

  • It allowed data to be severely corrupted.
  • It deployed code without an appropriate rollback or back-up plan or path.
  • It did not notify its customers despite that the mistake is costing its customers to have late payments, resulting in fees and credit history problems if uncorrected.
  • It did not properly prepare the customer service team to handle the situation.
  • It allowed the user to see that data had been corrupted, which has destroyed all trust in the system."

I visited Capital One's web site to see what database corruption notices were posted. The Press Releases site section didn't contain any database corruption notices. Neither did the site's Online Protection or Fraud site sections contain any database corruption notices.

Not Your Grandparents' AT&T

Recently, InformationWeek reported:

"AT&T on Wednesday began providing radio-frequency identification and GPS-based products and services that schools can use to track students, assets, visitors, and their staff. AT&T's RFID application is designed to work in conjunction with GPS-based mobile resource management services, as well as the carrier's wireless data network and hosted applications. With AT&T's offering, schools can track people or assets by placing Wi-Fi-based RFID tags on ID badges attached to equipment, bracelets, shirt pockets, or book bags."

I have no problem with tracking assets or things. There are many valid business reasons for asset tracking. Tracking people is another issue. Tracking of people is another piece of sensitive personal data companies compile and archive about employees (and former employees). This sensitive data needs to be vigorously protected by companies. With any new technology like this, there's always the promise of security:

"The mobile resource management system would then relay the location of the tagged person or asset over AT&T's wireless data network to a secure Web site portal."

The reality is often something else. With the large number of data breaches and especially wireless data breaches, it's unclear to me that companies will protect this new RFID-location data rigorously or adequately, as we've seen wireless data security failures previously.

And yes, this is the same AT&T that worked secretly with the NSA to compile a database of U.S. citizens' phone calls. Since it's 2005 acquisition by SBC, AT&T has behaved in ways that give the impression it is no longer the trustworthy AT&T I've known. It definitely seems like time to switch my phone service.

RoboScalpers: Somewhere (Online) There Is a Crime Happening

It's the holidays and you want to see your favorite theater show, concert, or sports event. As soon as tickets are available, you try to buy them online but the event is already sold out. Have you ever wondered why this happens? According to a recent post at the Consumerist blog:

"Ticketmaster is suing RMG Technologies for selling lecherous software that instantly sucks up tickets to everyone's favorite concerts and sporting events. Groups like RMG are the reason tickets sell out just minutes after going on sale, only to mysteriously reappear at outrageously marked up prices on ticket resale sites like StubHub."

When consumers buy tickets online, there is an implicit level of trust that everyone has equal access to tickets. Consumer trust that they and other humans are buying tickets, and are not competing against machines for tickets. Obviously, this is not the case and the consumers' trust is being abused. The Consumerist post clearly describes how ticket-resellers acquire tickets, which some call "RoboScalping":

"How brokers can jump to the front of the line is described in supplemental documents filed in Ticketmaster v. RMG Technologies, an active Federal District Court case asserting that the defendant's automated ticket-buying software violated the Ticketmaster Web site's terms of use. The papers describe a subterranean world of software designed to enter Ticketmaster's online ticket-purchasing system at will and to scoop up tickets without limits."

What does this have to do with identity theft and corporate responsibility? Plenty. The process of RoboScalping costs consumers plenty. We lose the opportunity to buy tickets at or near face value; we pay higher ticket prices from ticket-resellers, or we miss attending the event. To buy large quantities of tickets, the RoboScalpers use automated software to pretend they are humans. And the companies involved go along with this deception because there is money to be made.

To learn more, read this SF Weekly article.

TJX Settles Visa Suit About Data Breach

According to Consumer Affairs:

""TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, has reportedly agreed to a $41 million settlement with Visa in connection with a massive data security breach."

You can read more about this at Reuters, the Boston Globe, and CNN Money. According to CNN:

"In return, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer's U.S. acquirer that remain eligible for appeal. At least 80 percent of the eligible Visa issuers must accept by Dec. 19 for the settlement to finalize."

You may remember, the TJX breach happened in 2006 (some say 2005) and wasn't reported until the end of 2006. First, some 45 million records were stolen, but the number was increased to about 90 million records. According to the news report, the credit-card-issuer companies incurred about $65 to $80 million in expenses to replace the stolen consumers' credit cards. Obviously, the card issuers want to be reimbursed by TJX for those expenses since TJX was lax about its data security. If the banks and card issuers have to absorb this expense, then everyone else will effectively pay for TJX's lax data security through higher credit card fees and rates.

Facebook's Online User Survey About Beacon

In his Between the Lines blog, Larry Dignan describes his experience with Facebook's online survey. If many users' survey responses mirror Larry's response, Facebook has lost a lot of user trust.

When asked how often he uses Facebook, Larry wrote:

"About once a week maybe twice. In the early going, I hit Facebook a lot more. I don’t have the urge to go there more often than I do."

When asked how satisfied he is with Facebook, Larry wrote:

"I was neutral. I was never in the 'I love Facebook' camp. It’s a fine utility, but it’s also one that could be applied elsewhere. Maybe Facebook is a destination. It could also be a feature. Perhaps Ning has been more useful to me."

When asked if he would recommend facebook to others, Larry wrote:

"Probably not. I’m just not much of an evangelist."

When asked if he'd heard about Facebook beacon, Larry wrote:

"Yes of course. I couldn’t help but wonder how transparent this poll was and what Facebook was trying to get at. It’s called damage control and Beacon should have been in the first five questions since we all know that’s why this poll exists."

Placing A Freeze (Or Lock) on Your Credit Files

In August 2007, the Massachusetts Governor signed a new law allowing Massachusetts residents to lock or place a "Security Freeze" on their credit reports with the three national credit bureaus. Residents can visit the Massachusetts Office of Consumer Affairs web site for instructions about how to add, lift, or remove a Security Freeze on their credit reports. Residents in other states can proceed directly to the three national credit bureaus for instructions:

The fees to add, lift, or remove a Security Freeze vary by state and by the consumer's status. For identity-theft victims, the fees are waived. For others, the fees apply and vary by state. For example: the add/remove/lift fees in Massachusetts for identity theft victims are waived, while the fees for others are a $5.00 each. In some states, the add/remove/lift fees are as high as $10.00 or $20.00 each.

More About Facebook's Beacon Program

FYI... from The Consumerist blog:

"Don't like Facebook secretly tracking your online purchases and telling your friends what you bought? Users of the Firefox web browser can use an easy add-on that jams the beacon's signal. Just install the BlockSite add-on, and then add http://** as one of the blocked sites."

I can't test this fix since I'm not a Facebook user. If anyone has used this fix, please share your experience below in a comment.

For Credit Card Purchases, Are Retailers' Demands For More Personal Information Legal?

In the MSNBC Red Tape Chronicles blog, Bob Sullivan has raised some interesting questions about what questions, if any, by retail cashiers are appropriate during a purchase with a credit card. Bob wrote:

" 'Can I see your driver's license'? 'Can I have your phone number'? 'Do you have another form of ID'? But how do you answer? It seems that to shop is to be interviewed. Everywhere you go, you are asked invasive questions. And every time you look at the news, you see another company is losing consumers' data. So you would probably rather not answer those kinds of questions, but can you say '€œno'€? Yes, say legal experts."

Bob has raised several important issues. First, it's a great idea for consumers to know their rights. Second, it makes good sense for consumers to not disclose more personal data than required. Third, consumers have a choice about whether or not to shop at a retailer that asks more questions than they feel comfortable asking.

Fourth, Bob Sullivan highlighted the Visa merchant agreement policy. This gives consumers an option to complain about retailers than violate Visa's policy:

"Complaining is simple. Call your credit card issuer (your bank) and tell them. They will in turn pass the complaint along to the acquiring bank (the store's bank). That might sound like a meaningless paper trail exercise, but it isn’t. Violation of Visa terms can actually get a merchant knocked off the credit card network, which is nearly the death penalty in today's retail world.

For consumers who are interested, see page 2-21 of the MasterCard Merchant Rules document (PDF).

Also, I checked the Privacy Rights Clearinghouse Web site and merchant laws vary by state. This is important both for consumers to know their rights, and for consumers considering a lawsuit of a retailer that requested too much personal data. For example, in Massachusetts consumers are encourage to, "notify the office of consumer affairs and business regulation or the office of the attorney general."

Software Viruses Found On New Hard Drives

While browsing the ZDNet Gear For Geeks blog, I found a post about software viruses found on new computer hard drives. Yes, you read that correctly. Not used hard drives but new hard drives.

I guess that virus-infected hard drives came from China shouldn't be a surprise, since we've already experienced tainted children's toys made in China, tainted toothpaste, and mad-cow beef from Europe.

Anyway, most of the post focused on issues for business computer users and IT (Information Technology) professionals, since most of the infected drives were large-capacity drives bought by government agencies for large databases. However, the end of the post presented some good advice both consumers and business computer users should follow:

"However, there’s a moral to this story.  Practice “safe sectors” and scan, or preferably wipe, all drives... Don’t assume that a drive is going to be blank and malware free. Trust no one. Same goes for USB flash drives - you never know what’s been installed on them."

I'd never thought about scanning my flash drives for viruses. I will from now on.

Woman Wins $2.7 Mill Verdict Against Equifax

According to a recent UPI press release:

"The Florida Circuit Court jury in Orlando said the Atlanta company must pay medical-transcription worker Angela Williams $219,000 in actual damages and $2.7 million in punitive damages for negligent violation of federal credit-reporting laws..."

Apparently, the jury agreed with the plantiff's argument that Equifax continually and repeatedly confused another person's credit information into Williams' credit report:

"At trial, her attorneys showed how Equifax repeatedly confused Williams with someone who had a similar name but whose credit file was rife with bad debt, the newspaper said. Williams disputed the errors numerous times, but Equifax kept passing along the false information, ruining her credit, she testified. After eight years of trying to resolve the issue, she sued the company in 2003."

UPI reported that this is the largest punitive-damages award ever against Equifax. This court verdict is a sad reminder that it is the individual consumer's responsibility to monitor the accuracy of their credit reports at the three national credit bureaus; and to notify the credit bureaus of any errors. Once notified, it is the credit bureaus' responsibility to fix the credit report.

To learn more, read the Orlando Sentinel article or the Credit Bureaus posts.