Slashdot Mirror
Egghead Customer? Your Data Goes To Fry's
An anonymous reader says: "I bought some things from onsale.com, which then became egghead.com. Somewhere in that time, their credit card database got jacked, for which they sent me a nice e-mail saying everything was ok. Now I've got a mail that I don't like at all, with the subject 'IMPORTANT MESSAGE REGARDING THE TRANSFER OF YOUR CUSTOMER INFORMATION.' Well. that's pretty much it. egghead.com info will go to Fry's Electronics, unless the customer explicitly requests that it not. How often does it happen that when a company goes under that they just sell their customer info and just not tell anyone?"
Here are links to the Egghead info page and privacy and security policy.
So who owns Fry's? Is it Disney or MS or AOL-TW?
Most companies that go under just sell the information outright. At least you got an opt out. I don't agree with them selling it at all, but again, at least there is an option...
--The space between my ears was intentionally left blank--
There was a similar case where the company went into recievership and the reciever sold off client information as an asset of the company. I can't remember the details, but it was a real big stink here on /. and elsewhere.
In this day and age of information though, information is an asset. Yours and likely an asset of any company you provide it to. Remember, you're not being made to give out your personal info, you're providing it in exchange (along with money sometimes) for a service.
Beware the Whyte Wolf.
With a gun barrel between your teeth, you speak only in vowels...
My personal info was stolen some time back and was used fraudulently to purchase some items at egghead.com
I tried the link to opt out, but you have to have a user id and password to do this! I don't have them because the criminal who stole my CC created them.
As a result, there is no way for me to get them to remove my personal info, which wasn't supposed to be in their database in the first place!
Egghead.com was also cracked about a year or so ago. They have a very poor track record of safeguarding their customers' information.
Things like this make me want stricter privacy controls for personal information.
...since privacy helps terrorists.
A.D. 1517: Martin Luther nails his 95 Theses to the church door and is promptly moderated down to (-1, Flamebait).
I used to purchase things from Onsale's auction site all of the time, including my refurbished laptop 4 years ago. They had excellent selection, and if you could find what you wanted you could usually get it cheaper than anywhere else. I also bought my new digital camera from Onsale's auction site.
Then Egghead purchased Onsale. At first Egghead did a decent job of keeping up the auctions, even imitating Onsale's not-so-hot web page design. Over the past year or two, the auctions have really fizzled - you can hardly find anything worth bidding on.
Then there was the incident where the credit card database was cracked. This did not make any Egghead customers very happy. Add to that the fact that many of their retail items were either overpriced or out of stock, the site quickly went to the bottom of the list from which I purchase computer equipment.
I am not saddened to see the company go under - they brought it upon themselves.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
The Canadians have introduced bills to prevent this from happening. The company must ask your explicit permission or else both companies will be held accountable. This also leaves the door open for the good old fashioned class action lawsuit
I'm just not sure if this was passed already or not. I guess I should find out, being Canadian and all.
Angry White Guy
--Consience is a hinderance only afforded by the common man
You think that I'm crazy, you should see this guy!
You can't stop the sale of customer data unless your a majority stock holder. Stock holders want to make their money back, and customer data is a tasty sale. To protect their butts they normally have a privacy contracts with "We reserve the right to modify or change, blah blah at any time."
We don't have as much privacy you expect, credit card companies, insurance companies, banks, etc, exchange data without your permission, due to fraud and credit reporting. Even with government databases, they love selling drivers license information to companies.
Whether the data goes to Fry's or elsewhere, most data generated by virtual processes, and all other electronic transactions, will be used in ensuring security. This is especially likely due to Tuesday's tragedy.
Information's nature will change soon.
On NPR today, someone was explaining the use of electronic information as a possible alternative to ethnic, cultural, or social profiling of airplane passengers and other people who frequent public places.
The security officials would use credit-card data, bill and purchase data, phone records, and bank data in order to verify that you have an established address, haven't moved around too much or done anything that provokes suspicion.
In effect, we will all have different "clearance levels" in regular civilian society, which will decide for us whether we are stopped, interviewed, strip searched; what our freedom of movement and consumer activity will be; and what kinds of security-vital private sector training, such as computer or pilot skills, that we can enjoy.
Goat sex free since 2001
I've been wondering if an E-mail forwarding account within the European Union would be worthwhile, so that the European Directive on Data Privacy would apply.
I haven't purchased from Egghead (formerly Onsale) in a long time. In fact, at the least, I have ordered since their "hacker breaking" a while back.
After I got the "we're selling you to Fry's" email I decided to opt-out but it wouldn't accept my username and password, nor could I recover my password (via their website). I thought maybe my username was incorrect, but as far as I can tell that is not the case.
I'm wondering if my case is unique. I'm also wondering why I need a user name to opt-out. Why isn't my email enough? If I have that email setup for multiple users, then I can opt-out of all at once. I'm going to call customer support as well, but that will have to wait until Monday (thanks for the email Saturday, so that way hopefully I'll forget to opt-out by Monday).
Of course, I'm assuming that their website is actually working properly. I have order numbers and tracking numbers for previous orders, perhaps I should just email those en masse to customer support and let them deal with it.
Why would Fry's not have any online presence? The obvious answer is that there is nobody in the organization who has the competence to do so.
I would submit that Fry's is not only unaware of the security issues related to "personal data", but guaranteed to screw it up.
It's for this exact reason that I'm yet to purchase anything from a web site, save for my now non-existant domain name. I'm not saying that nobody should buy anything on the Internet, or that it's a bad thing to begin with.
But lets face it. Even now, after the "dot bust" or whatever it is called today, there still are sites that are getting hacked, Internet companies that are going bankrupt, etc. And everytime that happenes, my personal information is in danger of becoming public, or that it falls into the wrong hands.
I know dozens of people, some of them my friends, who have had their credit card numbers stolen. My best friend lost $400 on his VISA, and if it wouldn't have been for the fraud protection, he would be in a deep hole right now (we're students, we're not rich people). Losing money is the worst thing that can happen, but what about the little things? I'm getting 10-15 spam emails a day, and this is after some pretty drastic filters. But I know people who keep getting them in the hundreds. (I went on a trip this summer for a monts, and I had about 600 new messages). And there are many more reasons...
And to top it all off, these companies are treating the information that you give them as something to sell. WHEN IT'S NOT EVEN THEIRS TO BEGIN WITH!!!!!!!!!!!! It's MY credit card number, it's MY name, MY address, MY age that I inputed into their database. And yet they sell it off!
Don't get me wrong, I love the ideea of going on-line and shopping with GrogeryGateay.com, or buying anything, ordering any services online. But I'm definitely not going to do it untill I'm certain that my info and my money are safe. And ATM, no matter what anybody will say, they're not!
For telemarketers, finding out their company, the company they represent and the first and last name of the person you're talking to before you ask them to add you to their do-not-call list is the way to go. Log that information and sue them if they ever call you again.
For spammers your choices are more limited, especially if you don't run your own mail server. It is next to impossible to not download spam, although you can process it in such a way that you never see it. There are two solutions I like the most. The first is to keep a whitelist of people who are allowed to send you E-Mail. You can store the E-mail of anyone who has sent you mail and isn't on the list and require them to reply to a message to get added to the white list. Purge any such stored messages after a week or so. The other alternative is to reject any E-mail that's not encrypted to your obnoxiously long encryption key. A 4096 bit key takes about 30 seconds to encrypt to for a 1 page message on a P166. No spammer's going to take the time (Nor would they be capable of taking the time, if everyone did this.)
For internet banner ads and more obnoxious features of the web, I've found that disabling popups and animations in Mozilla makes things a lot less annoying. YMMV depending on your web browser.
And of course, if you know a company is likely to sell your information without your permission, don't do business with them and tell them why.
We're already constantly on the verge of information overload (or well past the verge) without some company you never heard of buying your info and jamming more advertising down your throat. Pursuing your privacy like a rabid pit-bull is the only way to avoid having this happen.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Fry's Electronics has made it a clause of the purchase that no more than 10% of Egghead.com's customers opt-out of the mailing list.
m l
Check this article about it on CNet:
http://news.cnet.com/news/0-1007-200-6962164.ht
The personal information was exchanged, with money for goods and/or services, with the condition that it may be used only by egghead.com, and that they may not sell it. It may be considered an asset, but it is an asset with encumbrances on its use and resale.
I tried the link, but it failed.
Fight Spammers!
Citizen Foobar! What is that you're doing? You just got off that escalator! Can't you see that's an Orange escalator? You know that you only have Red clearance, and are supposed to use the Red Rope that's hanging outside the window, over the moat with the spikes in it. What if someone with Orange clearance had needed that escalator, and had to get out of your way? Report for Termination immediately (in that Blue booth right there), and have a nice day!
If Fry's really wanted the egghead.com customer database, why didn't they just buy it from some 15 year old Russian hacker?
Fry's electronics bought a part of Egghead (the part that had your customer data.
The bottom line is that one company had your information in the beginning and now one company, which is a dirivative of that first company, has that same info.
And what's the worse they can do with that information? Try to give you a good deal on a product?
I was in the same situation as the poster, having purchased from onsale.com almost five years ago. Since I didn't want my data from a five-year old purchase cycling on to Fry's, I tried to use their opt-out script this morning, but it wasn't even working properly.
How convenient.
Bob
Science, like Nature, must also be tamed, with a view turned towards its preservation.
What if instead there was a "frequent fryer program". Would people be complaining or would they be outraged because their information wasn't merged?
Sometimes when I'm in Fry's I wished there was a "gold member" short line. (especially in returns)
When it happened, it was more Onsale (flush with dot-com cash) that purchased the failing Egghead. It really just postponed the inevitable failure.
Onsale's management figured Egghead had the better-known brand name, so the combined companies went ahead under the Egghead name.
That's why the auction pages looked an awful lot like Onsale's...
Whether we like it or not, customer information is a company asset - and when someone purchases a company they buy all the assets available. Including our information.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Fry's isn't JUST buying your customer info from Egghead.com. They are BUYING Egghead.com. According to a speech given by Randy Fry (President) in Austin at the Grand Opening of the first Fry's in town a couple of weeks ago.
He mentioned that while Fry's had never had an online presence, it was time to develop one. And he felt the best way to do that was to purchase Egghead rather than building from scratch.
BTW, how do I know this? I was working for Fry's at the time and was able to catch this handy little tidbit...
Credit card numbers are not as random as you might think. A good overview can be found at this site.
Best Slashdot comment ever
At that point, I vowed to never buy a thing from Onsale. I've done just fine without them (their prices usually weren't all that great anyway...ditto for Egghead), and it's somewhat comforting that their "bad karma" is about to catch up with them.
(eBay long ago fixed its system to make what Onsale did nearly impossible...you can still retrieve other users' email addresses, but you have to be logged in to do that, and I suspect that all address requests are logged. A bot trawling for addresses now would stick out like a sore thumb.)
20 January 2017: the End of an Error.
so... egghead sends email to the email address
:)
on file offering an opt-out.
but, your email-on-file happened to have change
(is no longer valid). you don't get it, you
don't opt-out.
egghead goes ahead and sells that info to Fryes...
i wonder if Fryes has any idea of the *quality*
of info they are buying?
i kinda like this possibility
in the fall of 2000, toysmart, an online toy retailer partly owned by the walt disney corporation, filed for chapter 11 bankruptcy, and announced that it was including its customer data base as one of the assets to be liquidated. disney had injected $45 million into toysmart but finally pulled the plug in may 2000, and shortly after toysmart filed for bankruptcy.
it then emerged that toysmart considered its database of customer information to be a liquidisable asset, that it would sell, in effect, to the highest 'trustworthy' bidder.
the federal trade commission disagreed with toysmart, and for a while considered blocking the sale, before finally allowing it to proceed under restricted conditions. notably, these conditions did not include any obligation on the part of toysmart's creditors to either inform or obtain permission from toysmart's customers. in the end, the data did not provoke a bidding frenzy: the highest offer had come from disney itself ($50,000), with the next highest offer being $15,000 from a market research firm in maine.
for more info search google, cnet, etc., with relevant terms.
I got the e-mail, followed the link, entered my user name and password (fortunately written down a while ago, since I've not bought anything from them in tears) and they claim I've been removed.
All of this in Konqueror, so not even a hassle that I don't have one of the "big two" browsers.
Of course, if you're paranoid, there is the question of whether they will honor it...
This is the real question. If not explicitly defined in a company's privacy policy, such as Amazon.com did (saying their customer records were a business asset to be sold), do companies have the right to treat it as such? Apatently they can, although it hasn't been tested in court - but then, why did Amazon.com eplicitly state it if it were the default treatment.
As a corolary, are companies who aquire assets of another company, bound by the agreements made by that other company? I believe as a general matter of law, this is dependant on the contract in question, but with respect to customer information, is there not a defacto contract in place, governed by the terms of the company's (the company being aquired) privacy policy? Are privacy policies transferable such that they continue to be in force with respect to the data over which they originally had effect?
Since I am not a lawyer, I don't have the answers to these questions but I believe my understanding is sufficient to have properly posed them with respect to the legal status in question.
--CTH
--Got Lists? | Top 95 Star Wars Line
An interesting point. They own the company, they own the data, end of story, right?
My objection here is that many (most? all?) of these people did business with Egghead when it wasn't owned by Fry's. My personal information is not something I want bought and sold with company takeovers. Maybe I don't like Fry's, and maybe I don't want them to know anything about me.
The problem is that ultimately the information you divulge to a very select few companies of your choosing will become common knowledge to the marketing departments of _all_ companies. A buys B who reformulates it into D, and then branches off E to F, who is bought by G. Suddenly A, D, E, and G are the four major companies out there, and they ALL have YOUR information, just because you dealt with A at one point.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
dude, here's the URL for the opt-out page:
t _p
http://www.egghead.com/ShowPage.dll?page=b_1_op
... and you don't need a password, it asks for your username and email address. Plus, it's just a mailto form anyway, so compose a message to the address and ask to be opt-ed out.
Furthermore, call 1-800-EGG HEAD to get a customer service representative for help if the above process doesn't seem to work.
Try the proceedure before you panic and say they're screwing you over! Remember, egg head no longer has anything to lose by 5% of their customers opting out this way.
And no, thet don't have to tell you about it.
Why?
You don't have a de-facto right to control your information in the US, that's why. The database of information the company lawfully collected in their business dealings is THEIR asset to do what they want with (within the law, of course).
The individual records, they aren't that valuable. You don't 'own' all information about you in the world. The database as a whole has value.
As for them getting hacked, and losing their credit card info.. why do you feel so personally burned? The credit card belongs to the issuer, not you, and it's not YOUR problem if it's abused, it's the issuers. Yes, it may be slightly inconvenient to you to get it replaced.. though they informed you. Even though they said 'everything is okay', you can still call your credit card company up and request a new card because you suspect your current one has been compromised. They will send you a new one immediately at no charge.
I don't see what the big deal is.
I checked my credit card contract.
And as I though...
I am liable for up to $50 of fraudulent charges if they are a result of my *card being stolen*, and I haven't reported it.
The language is quite explicitly clear. I am only liable if my card is physically stolen (lost, etc..).
The $50 limit you specify is a legal one; credit card issuers cannot produce, say, a cardholder agreemnet that makes you responsible for, say, $200 if the card is used incorrectly.. becauset the law says so.
If I were to post my card number to every BBS, the card company could hold me as being negligent; the cardholder agreement does discuss responsible use of the card. And responsible use includes letting them know when it's being used fraudulently.
Now.. maybe, just maybe, my cardholder agreement for my generic classic Visa from the Royal Bank of Canada is better than every other credit card agreement out there... but I doubt it.
I am only resonsible for (potentially) up to $50 in fraudulent charges resulting from the theft of my CARD.
Maybe you didn't get an e-mail because they, for whatever reason, don't have your e-mail address? If they aren't able to contact you, chances are, the company they sell this data to won't be able to contact you either. What exactly is the problem?
If the new company *does* contact you, without warning, *then* I would be concerned...
Their opt-out process was very quick and painless for me after I received the e-mail notice. I only bothered to opt-out because I had no intention of doing business with them in the near future.
Sounds like you need to upgrade or re-configure your web browser to honor your preferred e-mail client.
Or you could just send them an e-mail (clearly you found the address) or call the provided 800 number. There are few things this company could do to make this process easier for you.
If you have a beef with Egghead as a company, that's your business, but they are doing everything they can to do the Right Thing here, and I applaud them for it, even if they've been the subject of misfortune in the past.
Agreed!
Except I'm still kind of confused as to why this is a privacy invasion.
How can company B handle company A's warranties, catalog preferences, refunds, replacements, pending orders, etc., if company B buys and/or merges with company A but company A destroys its own customer lists...?
I don't understand what company A (Egghead) could have or would have done differently in this case that would cease to make this a privacy problem.
It looks like it's just a simple transfer of customer data, kept under the same privacy policies that Egghead had. If you didn't like those privacy policies, why did you give them your information? Companies are bought out and merged all of the time. Do you really expect them to destroy their own customer records every time this happens?
The only reason we're seeing this issue now is because Egghead did the RIGHT THING by allowing their customers to opt out prior to the transfer. This is a very noble and privacy-friendly thing to do. It would be nice if every company did this as part of its data transfers.