Egghead Customer? Your Data Goes To Fry's

An anonymous reader says: "I bought some things from onsale.com, which then became egghead.com. Somewhere in that time, their credit card database got jacked, for which they sent me a nice e-mail saying everything was ok. Now I've got a mail that I don't like at all, with the subject 'IMPORTANT MESSAGE REGARDING THE TRANSFER OF YOUR CUSTOMER INFORMATION.' Well. that's pretty much it. egghead.com info will go to Fry's Electronics, unless the customer explicitly requests that it not. How often does it happen that when a company goes under that they just sell their customer info and just not tell anyone?" Here are links to the Egghead info page and privacy and security policy.

Is Fry's even online?

[shoppa]

It's been a couple of years since I last was in an area that was served by Fry's, but at that time they had no online presence. In fact, they sued a guy who did them the service of putting their newspaper ads online.

Why would Fry's not have any online presence? The obvious answer is that there is nobody in the organization who has the competence to do so.

I would submit that Fry's is not only unaware of the security issues related to "personal data", but guaranteed to screw it up.

How often? Every second of the day.

[LoudMusic]

Selling databases of customer information is a very large business. So large in fact that a company by the name of Acxiom has become an international fortune 500 company doing just that. How much junk (snail) mail do you get? Chances are they house the records of your personal information and purchases you've made, when, where, how (credit card ..) and how much. They even print the billions of mailing labels every year. They also sell databases of customer information in electronic form. I'm sure this is how we all receive those thousands of wonderful emails asking us to sign up for insurance and toner.

But they also do more respectable business. Like they used to manage Dillard's warehouse stock information. They'd kick the data around and tell them what's selling where, what to order more of, and where to ship it at what time of the year. Pretty cool stuff actually.

~LoudMusic

Keeping Them Out of Your Face

[Greyfox]

While you can't do much to keep companies from selling your information, you can do a fair bit to keep them out of your face. For junk snail-mailers, there are several organizations that will get your name removed from the lists (Or added to a do-not-send list) and promise to dramatically reduce if not completely eliminate the amount of junk mail you get.

For telemarketers, finding out their company, the company they represent and the first and last name of the person you're talking to before you ask them to add you to their do-not-call list is the way to go. Log that information and sue them if they ever call you again.

For spammers your choices are more limited, especially if you don't run your own mail server. It is next to impossible to not download spam, although you can process it in such a way that you never see it. There are two solutions I like the most. The first is to keep a whitelist of people who are allowed to send you E-Mail. You can store the E-mail of anyone who has sent you mail and isn't on the list and require them to reply to a message to get added to the white list. Purge any such stored messages after a week or so. The other alternative is to reject any E-mail that's not encrypted to your obnoxiously long encryption key. A 4096 bit key takes about 30 seconds to encrypt to for a 1 page message on a P166. No spammer's going to take the time (Nor would they be capable of taking the time, if everyone did this.)

For internet banner ads and more obnoxious features of the web, I've found that disabling popups and animations in Mozilla makes things a lot less annoying. YMMV depending on your web browser.

And of course, if you know a company is likely to sell your information without your permission, don't do business with them and tell them why.

We're already constantly on the verge of information overload (or well past the verge) without some company you never heard of buying your info and jamming more advertising down your throat. Pursuing your privacy like a rabid pit-bull is the only way to avoid having this happen.

Enough opt-outs, and Fry's drops the deal!

[retrogmr]

Fry's Electronics has made it a clause of the purchase that no more than 10% of Egghead.com's customers opt-out of the mailing list.

Check this article about it on CNet:
http://news.cnet.com/news/0-1007-200-6962164.htm l

I tried

[www.sorehands.com]

I tried the link, but it failed.

Re:I tried

[lha2]

To which I got this response:

http://www.1tightass.com/fast/vids/movies/r2.mpg
...
----- The following addresses had transient non-fatal errors -----

----- Transcript of session follows -----
... while talking to smtp02.egghead.com.:
>>> RCPT To:
... Deferred: 452 4.2.2 Mailbox full
Warning: message still undelivered after 8 hours
Will keep trying until message is 3 days old
...

Egghead opt-out not currently an option

[bad-badtz-maru]

----- The following addresses had transient non-fatal errors -----

----- Transcript of session follows -----
... while talking to smtp02.egghead.com.:
>>> RCPT To:
... Deferred: 452 4.2.2 Mailbox full
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

Re:I got this email also

[eap]

There are 16 digits in your average Mastercard. (More in Amex, less in Visa). With 16 digits, there are 1,000,000,000,000,000 possible different numbers (give or take an order of magnitude). There are 100,000,000 people in the USA (again, give or take an order of magnitude). What are the odds that a randomly generated number is a real one?

You have apparently never purchased anything over the phone. In addition to the credit card number, you must also supply an expiration date and at least a billing address zip code (sometimes street address).

Let's see:

(1^15 credit card numbers) * (1^5 zip codes) * (roughly 48 expiration dates over a 4 year card life) = NO CHANCE IN HELL OF GUESSING IT RANDOMLY

What's really going on...

[Hi-Tech+Redneck]

Fry's isn't JUST buying your customer info from Egghead.com. They are BUYING Egghead.com. According to a speech given by Randy Fry (President) in Austin at the Grand Opening of the first Fry's in town a couple of weeks ago.

He mentioned that while Fry's had never had an online presence, it was time to develop one. And he felt the best way to do that was to purchase Egghead rather than building from scratch.

BTW, how do I know this? I was working for Fry's at the time and was able to catch this handy little tidbit...

CC# are not very random at all

[Mad+Marlin]

Credit card numbers are not as random as you might think. A good overview can be found at this site.

Re:This is why I don't buy stuff on-line.

[aozilla]

It's for this exact reason that I'm yet to purchase anything from a web site, save for my now non-existant domain name.

Oh c'mon. Do you think that your credit card numbers are safe when you buy something offline? Do you think offline companies don't sell your information? There's no difference, it all depends on the specific security and privacy policies of the company, not whether the company is online or offline.

My best friend lost $400 on his VISA, and if it wouldn't have been for the fraud protection, he would be in a deep hole right now (we're students, we're not rich people).

But there is fraud protection. If they don't have a signiture or other proof that you authorized the purchase, they can't make you pay for it. Credit card numbers are merely numbers, no more.