Slashdot Mirror
Dear Sir: Your Credit Card Number Has Been Owned
An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."
Slashdot was compromised back a few years ago. The maintainers were very quick to notify everyone and recommend changing passwords immediately. If only other businesses were as forthcoming!
And there weren't any credit card numbers involved!
Helping with organizational effectiveness is our job.
"All your base is now belong to them."
Not a bad idea but, with them having a 38 billion dollar deficit one would think they'd be focused on that.
So glad not to be there now.
FTM (Fecal Troll Matter) can beat the rush and blahblah... presumably thats his/her/its FP claim.
yeah it makes no sense, but he is fecal matter, of trolls no less, what more could you expect?
guess that makes him/her/it hella stinky.
Ownage!!!
"All your CC nums are belong to us."
:-(
Please don't mod me down
People should be responsible for poor security they implement.
autopr0n is like, down and stuff.
This looks like a good start for something that should have happened a long time ago. If people know their information (such as credit card numbers) has been compromised, they can solve the problem. Under Australian law, I think that companies have to tell you if you ask, but I'm not sure they actively publish that kind of information... If they don't, they should! Does anyone know if ISO has a certified standard for web services security? If not ... this might be a good time to make one...
"Umm, I would send out notices, but it appears that the crackers overwrote the mailing addresses of our entire userbase with 123 Sesame Street."
I don't think that posting the information on the website would be effective enough. Sites such as amazon.com may have my credit card number stolen. If I don't visit the site within the time frame that they are displaying it then I may never find out about it. They need to do something that requires less action from the users such as snail/e-mail. I don't think site postings should be allowed.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
guess we know what state hax0rs will target tonight, trying to be the first to make a company "go public"
way better that IPO'S!
Chicago2600.net more than a lifestyle, its a survival trait.
To quote the parent:
Yea, all you need to do is find the white-on-white "click here" hyperlink.
Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?
Why? Why does the company that has been hacked have to engage in a deliberate act (e-mail, snail mail, phone calls, whatever) except for this? Why not force companies to own up to their mistakes?
Karma: Food Fight (Mostly affected by Date Plate).
...that this WASN'T required by law before!
CAn'T CompreHend SARcaSm?
Does anyone actually expect american express or a similar large company to post publicly on thier website that they were 0wnz3rd?
If so are they going to post a list of everyone who's information was possibly lifted?
(Translated to English, for readability purposes only.)
1337 h4xxor> The company I broke into published it in the morning newspaper!!!1!1!
5kr1p7 k1dd13> That's nothing!1!! I made the evening news!11!!!1!1
Aha, spelling Nazis, now the shoe is on the other foot!
Always making spelling mistakes! It's 0\/\/N3D!
good idea, poor implementation
considering most people dont know they are "0wn3d" for a while, what good will this do. there is probably hundreds of laws dealing with credit card fraud why add another.
if a company has a file or some kind of hard copy with cc numbers and that material gets stolen or lost do they then have to notify everyone of the breach?
i do live in this state and wounder why they waste there time passing something that will be so extremely hard to enforce.
seems to me that if I did business with a company and they told me they had given up my cc, id feel like my gf told me to go get a "check up" because she mysteriously contracted herpes.
I'd drop them like a hot potato
Instead of fixing their security, companies will just find it cheaper to just move their servers out of California.
Linux O Muerte!
When I first started using Credit cards 3 years ago, I never used it on the internet for 6 months, fearing the consequenses of a theft. But, one fine day, my statement showed charges from some cruise/vacation website and some discounts program I never heard of before for $200!! I got mad and called the credit card company and it took them 2 months to fix it. Then, I decided, what the heck, let's use'em on internet since the numbers will be stolen anyway. :(
New year Resolution: Don't change sig this year
companies whose systems are cracked...are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media.
Now I'm not sure what I should be more afraid to find in my email, this or spam....
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
When the hacker breaks into the notification server?
Even if they didn't steal any information (other than some emails on the server) they could scare the living crap out of alot of people....like a BIG practical joke.
Then the company would have to send out another email via the notification system to their customers....this ought to be interesting...why trust the company that claimed it was hacked yet it wasn't?
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
Increased costs take effect Wednesday, July 2 (the day after the day tomorrow).
In their zeal to be so socialist, capitalism is being driven out. Their nice deficit is proof positive. Oh well, their loss, our gain.
Informing customers prior to account signup/transaction about whether or not information prone to identity theft is to be entrusted to some third world nation.
I definitly want to know who I'm doing business with.
Your credit card number could be stolen, find out more ....at eleven.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
There are several other state laws kicking in as well - here in Indiana there's a new anti-spam law (modeled after several others and unlikely ever to get dusted off) targeting forged email headers...
Now if we can only get Daylight Savings Time here we might step into the 20th Century (nevermind the 21st!).
Stop by my site where I write about ERP systems & more
Sorry for that. While this is good for the Consumer, it is even better for hosting companies and businesses deciding to move elsewhere. The sad fact is that without really good analytical tools - most companies do not know what was cracked at all.
Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that. I know an IT director who believes that wiping everything down and reinstalling from a backup image is the way to go. Of course - backups aren't 100% reliable and you tend to lose data - but who am I and what do I know?
Trust me - that works until you lose really critical data. Then you are screwed buddy. Oh well, that's NMP. Not my problem.
Funny thing is that if they don't know theywere cracked, how do they know when to notify you that your account or data might have been cracked and hijacked?
Think about it. If they were too stupid to catch it, how will they ever know who to notify and who not to notify? When you cannot trust your data, everything else becomes meaningless.
I wonder if these notices will lead to more false insurance claims from losses due to cracking? After all, how can the banks, credit card companies, etc. prove diddly when they don't even know for certain that you have been cracked or if their data is accurate or just total hogwash.
Would you trust a business that notified you that your account might have been cracked and you could have some of your valuable precious data being floated around the Internet?
Of course, they could have avoided all that by using real equipment, but you won't know the truth any more than they know the truth.
All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
AC IDIOT
Do you think that a little "This site powered by Windows 2000" icon on the bottom of the page be considered appropriate notification?
The best bit is when sites who've been quietly amassing yer personal info have to turn around and say, "Uhhhh, because we were dumb, all this information we gathered without your consent is now in the hands of someone who will do worse stuff with it than us."
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I do agree that this would be a great thing - but maybe nationwide rather than just in California. Us as consumers deserve to know when our information is compromised, although, enacting such a law is just going to add another reason to the list of reasons for businesses to move elsewhere. Maybe when I get my degree in CS in December I'll just have to move out of state to find work.
MOD THIS PARENT UP!!!!!!
what probably happened is that your bank got r00ted, which is where someone got your CC#. Or, your ISP's billing system, some brick+mortar where you used your CC kept a database internet accessible, etc.
The _only_ sure-fire way to prevent getting your CC# stolen is to not have a CC to start with. But that still doesnt protect you from identity theft as someone can open a card in your name if they have your SSN from somewhere.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I have no CCs so its NMP!
You can get more with a kind word and a gun than you can with a kind word alone. - Al Capone (1899-1947)
It should read:
f00: 3y3 0W|\|x0r j00r kr3d17 K4rD w17 m4h 1337 5kr1p7 K1dd13 P0\/\/4h!!!111111~
I mean, the least you editors can do is quote accurately.
---- I'll take you in a Hunt deathmatch any day.
In short, you are better off keeping a hard copy, if the paper copy gets stolen then you don't have to notifiy anyone.
this is only good if they know they have been compromised!
It doesn't matter where the freaking server is.
What matters is where the customer is. Damn, this is plain talk, not lawyerise, in the first coupla paragraphs of the law. It's in the link.
Use the Link, Lurch.
You started using credit cards only three years ago? Why, in my day we had to use credit cards made out of stone, uphill, both ways, in the snow...
Seriously, you also have to consider "where" and "why" credit card numbes and such get stolen. For example, I've used credit cards over the net for (eeek! I'm old!) about 10 years, and the only problem I've had was some magazines that got charged to the card I use to pay my sister's account. That got fixed easily enough.
In the 30ish years I've used things like checks and credit cards to pay for things, I've had (um....) one check forged (after my place broken into; I had reported it stolen and it didn't get cashed), the thing with my sister (which was from some telemarketer trying to get a bonus or something), and maybe one or two other things.
Then again, there's my parents, who had people at their ISP using their credit card number to pay for porn sites.
I suspect that if a lot of people who have their credit card information "stolen" would confess, they used it for one of those "increase your penis size while you get rich quick by getting a four year degree from an 'online university' so you can help your partner increase their bust size before you dump them to meet sexy russian women who want to help you get money from Nigeria" scams.
I guess maybe it's a matter of trust. I switched my upstream provider from dimensional.com to kaosol.com because daud changed companies. I trust him; he and his crew have gone out of their way to try and help me, so they get my business.
I'll guarantee you that the first company that sends me a "our servers may have been hacked" notice will lose my business forever.
Karma: Food Fight (Mostly affected by Date Plate).
Whatever happened to encryption?
why not make the company responsible for notifying my credit card company? Or better yet make them pay for fraudulent charges that I could prove were from their negligance?
They screwed up they should incur the cost of cleaning up the mess. If companies were responsible to that degree than watch how high security budgets would skyrocket. If they shouldnt be responsible to that degree with my sensitive information than why bother passing legislation like this?
Look at the bottom of this page - MS has a Java database driver for UNIX systems, distributed as a .tar file (direct link, installation instructions). It looks like Microsoft uses ksh, not bash. And according to the FAQ, the driver itself is written in pure Java.
There's something unsettling about all of this...
Cygwin, like everyone else does in the first ten minutes with a Windows box.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is just an attempt to sell Microsoft a lot of stamps.
Is there an example of a company not doing this already?
... probably it is the credit card company who should enforce it; let them sue the negligent company.
Does anyone know if there are VSA/MC policies on notifying them?
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Between the time the company notifies you and you receive your new card in the mail, that's damn near 14 days of sales tax he can't collect on purchases you might make
I've thought of (maybe someone else has also) a new twist to this story:
So Ms. Hacker knows of an unscrupulous company that has absolutely no intentions of ever conforming to this new law. Maybe Ms. Hacker works for this company and knows the policies inside and out. So Ms. Hacker decides to go on the rampage, hack the company and grab all the personal info of the client base. She waits. And waits. The company never reveals the intrusion, even though she KNOWS beyond a shadow of a doubt, the company is aware of the breach. What happens next? Ms. Hacker reveals in an anonymous manner, the details of the breach (concealing her information of course) and an example of the information stolen. Ok. Maybe she's not the smartest cookie, but hey, the world needs ditch diggers too.The moral of the story: This is a new way to get back at the company.
Sure, it's a little far-fetched, but think of the possibilities.
Jerry Fletcher,
Privacy Protection By:
http://www.cotse.net/servicedetails.html
Ok I first though oh my God this is a great law how come they have not thought it up earlier.
.Com selling a monthly service say a magazin subscription. But he likes to charge by page views.
Now i think a bit more now consider this scenerio.
Joe has a bit of investment he want to start a
Joe has a big problem he cant use a third party creadit card gateway without not storing the acutaly creadit card numbers.
The reason is becasue cc# are generaly designed for one time sales at your payless store next door they where never designed for micropayments.
So Joe says ok i can use a service to store the billing info including the cc# on the gateways server so i am not liable !! Opps now i have to pay $$$ to the payment gateway for this extra service but i only have few bucks to start the business.
Ok so Joe will now store the CC#. Considering Joe hires developers with any sence in security they will at the minumun put this data encrypted in a relational database. Where are we going to put the key ? In some file on the same server where the database resides ? What kind of security is this?
Joe needs an auditing trail, cron jobs run by root to read the key files, firewall, ssl, security policy . How much will this now cost ?? $$$. Ok Joe will hopefuly install OpenBSD and the hell with it--I wont get cracked !! maybe
Now secirously if one needs good protection multiple levels of security need to be implemented by professionals in the field. I am afraid that too many small businesses online or even large want to save costs and bypass security. Maybe this law will make then think again.
How about that. Someone breaks partway into a system at my bank. The bank may not know exactly what has been compromised, but they then publish a list of what it could be. Intruder now knows how close they are to the money!
-- All your bass are below two Hz
A good security worker will be treating a lot of false readings as possible security concerns. Despite all the audit trails, a thief looking for a backdoor just might find one that leaves an uncertain trail or possible no trail (for example someone might make a copy of a back up tape, or sniff the LAN.).
Being conservative, I cannot help but think that everyday there is something that "might" be a security breach. If the data is in a company, the data just might have been compromised. To follow the law, companies would have to send out a letter everyday saying, "your data exists; therefore it may have been compromised."
As for actual theft of credit card numbers. I've seen more of it happening at cash registers than in IT departments, but security is a matter of thinking what might happen, not what should or did happen.
But, to be frank, I think the legal community is looking at the wrong end of the equation. The credit card laws and credit card companies tend to make the merchant the villian when the system is doing very little to stop the actual criminal.
The Courts say: "You stole $90,000...well shame on you...the merchant will now have to refund the money to the credit card company. Shame on you, see how much you just cost a merchant? you should feel really bad now."
The _only_ sure-fire way to prevent getting your CC# stolen is to not have a CC to start with. But that still doesnt protect you from identity theft as someone can open a card in your name if they have your SSN from somewhere.
Ha! Finally, having bad/no credit is advantageous! They'll never be able to get a card in my name! Bwahaha!
These rules are good. I think both notification and public notices of being hacked should be required. But merchants and customers should be smarter to start with.
Many prominent ecommerce sites insist that if you buy with them, you have to open an account where your credit card info will be stored permanently (read the fine print on PayPal, for example, what happens when you try to erase it).
In order to permit you to reuse the credit card number without reentering it later, it generally has to be stored in a place accessible to the web server applications, aka a very hackable location. They usually claim to protect this via n-bit encryption, but their application can easily decrypt it, generally meaning that a hacker who owns the web server can as well.
If a brick-and-mortar merchant insisted on storing a xerox of the credit cards of all his customers in a filing cabinet on the sales room floor in case any time in the future they forgot their credit cards, I would still feel more secure than this sort of e-merchant makes me feel (because the volume of CC numbers is less and it can't be accessed remotely) than a database with millions of card numbers. There is a huge difference between temporarily using the credit card info in a transaction database and making it permanently available in an account database. Not only can transactions records be more-fully isolated from the web servers than account records, but in the transaction case, the most compromised is far less than the millions of credit card numbers compromised in an account database. You make yourself vulnerable forever if you do business with someone who wants to keep your credit card available in your account, and they probably will not even tell you if it is compromised.
IMO, good merchants do not insist on storing your credit card number in the account, but rather permit you to manually reenter it every time. Just like all the Microsoft email conveniences that turn out to be security holes, this sort of ecommerce convenience is asking to have your credit card number abused, with no notification. The number is safer in your wallet or travelling across SSL than in a web-server database with millions of other credit cards.
PayPal refuses to erase the account info even if you erase it. Perhaps this sort of law will eventually force irresponsible merchants to rethink the way they expose millions of cards to cracking. You can't hack what is not on the server.
I would say the majority of stolen CC #s are probably not on the net. Atleast personal ancedotal evidence seems to point in that direction. I've known atleast five cases, one of which being my parents who are generally anal in protecting their credit cards / bank accounts, in which the number was stolen and used. One interesting thing to note about these cases were that they all were either proven or most likely stolen at restaurants.
The next time you're at a restaurant, receive the bill, and you're about to give the credit card to the waiter or waitress you may just want to consider how much trust is required for that transaction. The waiter takes your card, walks off and runs the card, and comes back with your receipt and card. In that amount of time out of your posession, the number, name, expiration date, and the bank information on the back of the card could all be easily copied.
" or by notification to the news media"
What is the malicous attack is the news media?
Now they know how *I* feel.
Well, we have a 32 billion dollar budget decficit, but at least...
at least...
at least we won't vote for a Republican.
California is known for having more progressive laws.
"A company that does business in California must notify any customer of such unauthorized access. Failing to notify consumers can result in the company being sued in civil court"
Since trial lawyers write the laws in CA (and are the biggest contributors to the democratic party in CA) in order to faciltate them suing everyone for everything, this law makes perfect sense.
It's "boot", at least in most English countries
Dear Sir
Our main server (Windows 98) was hacked this morning. Our database (MS Access 97) has been compromised. Our security supervisor (MS Bob) was not able to detect the intrusion in time.
Please excuse us: here are the data that has been compromised, we recommend you to change it...
You name
SS number
Credit card number
phone number
email
We would like you to know that, due to this attack, we upgraded our system. We now use Windows ME and Office XP
Thank you for you attention...
How you gonna buy the gun without a credit card?
These credit card numbers weren't 'stolen', they were LIBERATED!
"Ask not what your country can do for you." --John F. Kennedy
People should be responsible if they are negligent, I agree. OTOH, expecting perfect security, as some on this thread seem to be doing, is wishful thinking. The world doesn't work like that. Bank robberies happen, and sometimes they get away with it. Cracks happen, and sometimes they get away with that, too. You should take reasonable steps to secure your facilities and have a sensible contingency plan for when that security fails.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
While on holiday in the Lake District a while back, some friends and I were going up to the top of Scafell Pike, the highest point in England. One of the paths was particularly treacherous, very steep and with lots of stones that slipped under foot. (Not good for those of us uncomfortable with heights!) After a few hundred metres, we got to the top of the path, only to find a sign there, facing toward anyone who was about to go down it.
It said, "Danger of death! Path under reconstruction! Keep off!"
We were suitably impressed. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hackers have used this attack many times before. The most recent one that I remember was PayPal. They claimed the password database had been corrupted or something, and asked people to click the link and reenter their passwords. Got a whole lot of accounts that way.
Someone else did it with a note that said they were putting a timer on service so that you had to log in every so often to keep your account active. People went and logged in by the thousands to the phony site they set up.
I hereby place the above post in the public domain.
one company that has done the same thing to me:
"Chase Manhatten bank".
i called and closed all my accounts with them.
My baysian filter can beat your baysian filter.
Oh yeah? Well, my Bayesian filter is spelled right...
I hereby place the above post in the public domain.
Sounds like a good law until you find out some of the implications. How do you know if a computer contains person information under the law? If you are at for example a university of california institution and an email with someone's ssn in it is on a random computer that gets hacked. The responsible sysadmin (thankfully not me) is must notify that individual. How do you find out which of thousands of personal machines by staff has someone else person info... many machines a day get hacked at just one UC campus. It is near impossible for the campus I'm at to comply... I do like the intent of the law, just not some of the implications
It certainly helps to keep your cc# db encrypted, possibly using syskey or the like to access it. But remember, the database is there for a good reason--there are lookups run against it all the time (heck, otherwise you could just airwall it). So you have to be able to decrypt it, and that generally means that if someone roots either the box it's sitting on, or one of the boxes that does lookups against it, all your base are belong to them.
I hereby place the above post in the public domain.
Where a certified accountant needs to check and make sure everything is up to a certain standard.
That's good news, more IT jobs coming up?
-- Leeeter than leet
The bill covers California residents, not businesses. In other words, if you do business with any resident of California, you are affected by this bill. Moving to Nevada (a common method of avoiding California's outrageous taxes and crazy State Officials *cough*GrayDavis*cough*) does not help you in this case.
From the text of the bill:
"...are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media."
So the company puts it in size 1 font buried somewhere deep on their news page that hardly anyone reads after having a lawyer word it in such a way that normal users will have zero clue what it says.
Yep, that should work well.
Dirk
Here's this week's list of stolen credit card information.
-
Name: Nigel Branthwaite
-
Name: Susan Dandrige
-
Name: Valerie McCandless
-
Name: Jose Suarez
-
Name: Huong Nguyen
Thanks, and check back next week!Number: 4897 6215 7894 1236
Exp: 02/04
Sec Code: 845
Number: 9815 9815 1265 7493
Exp: 05/05
Sec Code: 087
Number: 1569 1598 3565 9855
Exp: 12/03
Sec Code: 196
Number: 1859 3584 6188 1518
Exp: 07/06
Sec Code: 659
Number: 5899 1594 2987 1926
Exp: 01/05
Sec Code: 475
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Back when the attrition.org site was still counting defacements, you had an interesting stat: The number of defacements per OS version.
It would be very interesting to keep tabs on the OS versions of cracked systems, if only to avoid recommending them to new ecommerce sites.
Of course, this supposes that the cracked company will want to add shame to embarassment. Hmmm, that will probably require a little nudge. Maybe friendly BOFHs will "leak" the OS version info in memos titled "I told you so, you freakin' management morons"? Aaaah, that would be the day...
That said, I got an email titled "Please look at that document" that contained the full customer file of a cleaning company, complete with billing info, that they kept in an Excel spreadsheet. Who needs crackers when you have Microsoft MAPI worms?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Background: my wife and I each have credit cards from a credit union. These are *excellent* cards: incredibly low rate, incredibly high limit, no fee.
Well, we do a bit of on-line shopping, so I wasn't entirely surprised when our number got 0wnz3rd. How did we find out? Not from the statement. First time, got a letter: Dear sir, we've been notified by Visa that your number may have been compromised. Please give us a call to confirm receipt of this letter. So I call them up, they say they'll cancel the account and issue new cards. Couple months later, same story, but with the other card, and this time, instead of sending a letter, they're calling me at my daytime phone number. I haven't seen any bogus charges, so I'm assuming that merchants notified Visa when the discovered intrusions, and Visa notified my CU.
So... my experience with getting notified in such cases is very good. Then again, the institution I'm dealing with has historically treated me very well.
In states like mine (MD), it's already law. I can get free credit reports every 60 days if I want.
:)
Despite being a pseudo-tech wasteland, MD has its finer points.
---- My Design, Code, Ruby on Rails blog: http://www.slash7.com/
Even more catastrophic is the theft of check-card numbers because unlike credit cards, funds are often debited IMMEDIATELY from your account. If you use a check-card, take heed. Although check-cards proudly stamp VISA and MASTERCARD and promote the flexibility this grants, these cards ARE NOT subject to the same fraud protections as traditional credit cards.
When my checkcard number (never used online and always protected and in my possession) took a ~$8,000 tour of Phillipines furniture stores (while I was still happily at home just days after payday) the shock of having a $20 transaction denied and a $0.37 balance was incredible.
I raced into the bank and was casually told that their system had been "compromised" and yet the smiling bank functionary offered to give me a new check card on the spot and to report the incident (have me fill out a form) to their fraud department. I was frustrated, to say the least, by the almost complete lack of concern.
Not only was the intial reaction of the bank frustrating, but because the institution views check-cards much the same as traditional checks, their policies for handling fraud were the same as for investigating check fraud - time consuming and unprotective and inconsiderate.
While reclaiming my money (the meager sum of my $8,000 life savings) would take weeks, require me to take several days off from work to report continuing transactions, close accounts, cancel direct deposits, fax depositions, contact credit agencies, protest fees for late payments and returned checks, cancel plans for a short vacation, and borrow money for groceries and gas, I found that the bank was not willing to share any information concerning the theft of my check-card number, saying only that the number WAS stolen from their system during a MASSIVE theft of numbers. There was no effort to inform customers. The bank's official policy as quoted to me, was to "wait and see whose numbers were used and then fix it." The bank officer who told me this then said that was why she "was thinking about getting rid of her check card too."
While there were processes in place to fix the finacial situation, no one could do anything to salve the emotional and mental stress. And never did the bank exhibit any sense of working quickly since it was their fault the number was stolen.
Although I did EVENTUALLY get my money restored to a new account, the consequences will last for a long time. Some creditors simply refused to remove late payment status from my credit reports and account histories.
So hurrah for California! As more and more people suffer similar tiring consequences, we should hope that a few more of our lawmakers recognize the seriousness and force banks and merchants to take responsibility for notifing customers following a hack attack.
I urge anyone using a check card to contact your banking institution about the protections they offer. I imagine that you will find few protections and that the institutions have NO plan to either inform customers or to assist customers whose numbers are stolen from the institution itself. So take heed, and consider dropping the check-card in favor of a conventional credit card.
For the rest of the nation we are left to the whims of our banks and merchants to deal with identity theft. Quite simply there needs to be national identity theft legislation.