PERSONAL DATA BREACHES THAT CAN’T BE IGNORED

First, one of the biggest recently, by Hannaford Bros., a grocery chain based in Maine, that sports the largest personal data breach of 2008; the loss of 4.2 million credit and debit card numbers. See my Apr. 2 post. It took place while shoppers were swiping their cards in checkout lines. But it was only numbers, not connected with the owner’s name and address, so no chance of ID theft, right? Wrong! There have been 1,800 cases of fraud so far, and the company actually expected more. So what happened? Gartner research analyst, Avivah Litan, commenting in a Computerworld Apr. 28 article, thinks it involved a “rogue insider.” Based on my 35 years in junk mail database marketing, it is possible that someone in the company was involved. The blog, Securosis.com says the fraud could have been performed “directly in the Hannaford system.” Based on the fact that Hannaford CEO, Ronald Hodge, states that the food chain does not keep any personally identifiable information on the customer, someone or something had to put the numbers back together with a name and address in order for the 1,800 individuals to be victimized.

Moving on to another case, this one definitely insider driven, a former Verizon Wireless employee who worked in telesales was charged with stealing the personal information of an unknown number of Verizon customers while he worked there from November, 2003 to January, 2005. The personal data taken included name/address, Social Security number, and/or Verizon account number. In the Breach Blog, Evan Francen says this position, along with customer service personnel, have a high rate of turnover. Obviously these people need access to the sensitive data to perform transactions connected with the accounts, but until two years ago, workers were able to see the full Social Security number, along with name and address. I am curious if Verizon still asks for SS#s to open an account, and if they do, someone is still viewing the full number, which is why privacy advocates say Social Security numbers should not be required for things other than the most weighty matters like medical and financial. Francen notes that Verizon has 69,000 employees and 65.7 million customers so their collection of personal data must be humongous. You will never prevent dishonest insiders from taking what they want, but we could solve this problem from the other end by giving consumers control over their names and private information.

And then there’s the case of two LendingTree vice presidents who are accused with stealing passwords to the personal financial information of customers seeking loans from LendingTree. The Los Angeles Times says the two former executives swiped this information and gave it to competitors. The five competitors receiving the information are named in the lawsuit but not the two former V.P.s. That sounds a bit strange, but apparently lendingTree has its reasons. Same company, on another front, LendingTree is “politely requesting” Alex Stenback, who does the Behind the Mortgage blog, to remove a comment that the company considers defamatory. Won’t expand on this because it might go into litigation and I don’t want to hurt Stenbeck’s chances to defend his 1st Amendment rights. I suggest you go to Consumerist.com for the details. My point in bringing up this incident, and the other two above, is to emphasize that the practice of employees stealing the personal customer information being collected by the company they work for is alive and very well. You won’t change the nature of those who turn greedy, and apparently we can’t stop data breaches, so the only answer is to let the individual take back control of their sensitive data.