Egghead Customer? Your Data Goes To Fry's

An anonymous reader says: "I bought some things from onsale.com, which then became egghead.com. Somewhere in that time, their credit card database got jacked, for which they sent me a nice e-mail saying everything was ok. Now I've got a mail that I don't like at all, with the subject 'IMPORTANT MESSAGE REGARDING THE TRANSFER OF YOUR CUSTOMER INFORMATION.' Well. that's pretty much it. egghead.com info will go to Fry's Electronics, unless the customer explicitly requests that it not. How often does it happen that when a company goes under that they just sell their customer info and just not tell anyone?" Here are links to the Egghead info page and privacy and security policy.

I got this email also

[eap]

My personal info was stolen some time back and was used fraudulently to purchase some items at egghead.com

I tried the link to opt out, but you have to have a user id and password to do this! I don't have them because the criminal who stole my CC created them.

As a result, there is no way for me to get them to remove my personal info, which wasn't supposed to be in their database in the first place!

Egghead.com was also cracked about a year or so ago. They have a very poor track record of safeguarding their customers' information.

Things like this make me want stricter privacy controls for personal information.

Re:I got this email also

[eap]

There are 16 digits in your average Mastercard. (More in Amex, less in Visa). With 16 digits, there are 1,000,000,000,000,000 possible different numbers (give or take an order of magnitude). There are 100,000,000 people in the USA (again, give or take an order of magnitude). What are the odds that a randomly generated number is a real one?

You have apparently never purchased anything over the phone. In addition to the credit card number, you must also supply an expiration date and at least a billing address zip code (sometimes street address).

Let's see:

(1^15 credit card numbers) * (1^5 zip codes) * (roughly 48 expiration dates over a 4 year card life) = NO CHANCE IN HELL OF GUESSING IT RANDOMLY

the changes that will take place in info

[perdida]

Whether the data goes to Fry's or elsewhere, most data generated by virtual processes, and all other electronic transactions, will be used in ensuring security. This is especially likely due to Tuesday's tragedy.

Information's nature will change soon.

On NPR today, someone was explaining the use of electronic information as a possible alternative to ethnic, cultural, or social profiling of airplane passengers and other people who frequent public places.

The security officials would use credit-card data, bill and purchase data, phone records, and bank data in order to verify that you have an established address, haven't moved around too much or done anything that provokes suspicion.

In effect, we will all have different "clearance levels" in regular civilian society, which will decide for us whether we are stopped, interviewed, strip searched; what our freedom of movement and consumer activity will be; and what kinds of security-vital private sector training, such as computer or pilot skills, that we can enjoy.

Keeping Them Out of Your Face

[Greyfox]

While you can't do much to keep companies from selling your information, you can do a fair bit to keep them out of your face. For junk snail-mailers, there are several organizations that will get your name removed from the lists (Or added to a do-not-send list) and promise to dramatically reduce if not completely eliminate the amount of junk mail you get.

For telemarketers, finding out their company, the company they represent and the first and last name of the person you're talking to before you ask them to add you to their do-not-call list is the way to go. Log that information and sue them if they ever call you again.

For spammers your choices are more limited, especially if you don't run your own mail server. It is next to impossible to not download spam, although you can process it in such a way that you never see it. There are two solutions I like the most. The first is to keep a whitelist of people who are allowed to send you E-Mail. You can store the E-mail of anyone who has sent you mail and isn't on the list and require them to reply to a message to get added to the white list. Purge any such stored messages after a week or so. The other alternative is to reject any E-mail that's not encrypted to your obnoxiously long encryption key. A 4096 bit key takes about 30 seconds to encrypt to for a 1 page message on a P166. No spammer's going to take the time (Nor would they be capable of taking the time, if everyone did this.)

For internet banner ads and more obnoxious features of the web, I've found that disabling popups and animations in Mozilla makes things a lot less annoying. YMMV depending on your web browser.

And of course, if you know a company is likely to sell your information without your permission, don't do business with them and tell them why.

We're already constantly on the verge of information overload (or well past the verge) without some company you never heard of buying your info and jamming more advertising down your throat. Pursuing your privacy like a rabid pit-bull is the only way to avoid having this happen.

Enough opt-outs, and Fry's drops the deal!

[retrogmr]

Fry's Electronics has made it a clause of the purchase that no more than 10% of Egghead.com's customers opt-out of the mailing list.

Check this article about it on CNet:
http://news.cnet.com/news/0-1007-200-6962164.htm l

Why not buy it from some Russian hacker?

[fmaxwell]

If Fry's really wanted the egghead.com customer database, why didn't they just buy it from some 15 year old Russian hacker?

CC# are not very random at all

[Mad+Marlin]

Credit card numbers are not as random as you might think. A good overview can be found at this site.