Slashdot Mirror
Newspapers Wrapped in Credit Card Data
Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."
It should be a no brainer that financial information (not just credit cards) can only be access by the finance department, and any waste paper in the finance department must be disposed of by professional data destruction companies.
The article explained the mistakes, which were caused by aborted print jobs, only those printed documents were in the bin for recycling!
At least the the newspapers have now added a safeguard to the computer system so only the last four numbers of credit and debit cards can be printed.
Uncensored Google results requested and delivered by email
1-888-665-2644 is their hotline "for customers to call to learn whether their financial information may have been distributed."
Also:
"As an extra precaution, newspaper officials also urged subscribers to contact their credit card companies if they are concerned about unauthorized transactions."
This is a very serious problem
Subscribe for the articles, stay for your neighbor's credit card.
If this signature is witty enough, maybe somebody will like me.
Why does these data need to be printed at all? What possible need is there to see these numbers on paper?
and you wonder why newspapers have been struggling recently. The price one has to pay to have a subscription is just too much.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
The nice thing about being an honest guy like Quinn is that the crooks never believe you.
Lacking <sarcasm> tags,
Anyone up for doughnuts? a couple of my buddies from Boston are paying... Michael
In case anyone else was wondering (FTA):
The Globe and T&G financial information was inadvertently released when print-outs with the confidential information were recycled for use as ''toppers" for newspaper bundles. A topper, placed on top of a bundle of newspapers, is inscribed with the quantity of papers in each bundle and the carrier's route number.
I don't buy it for the pictures, I only read it for the occasional misprinting of hundreds of thousands of credit card information. *YOINK*
If big boobed women work at Hooters do one legged women work at IHOP?
Don't worry, we in Mass are sure this situation will end up fine now that Theo Epstein is back.
...inside an enigma. That's what this is.
Why was this information even printed out? I can't think of any reason that they would need to print full credit card numbers out. This sounds like an incredibly foolish thing to have happened.
________________________________________________
suwain_2
I clicked on the link in TFA, and got a page displaying an ad. 'For what?' you may ask.
The ad was for American Express. ^_^
Soko
"Depression is merely anger without enthusiasm." - Anonymous
The newspapers will turn over the card numbers of subscribers who may have been affected to the companies upon request. As of last night, Mastercard and Visa have asked for the details. The newspapers are doing the same thing with banks of customers who may be affected.
They will only turn the numbers over upon *request* and only MC and Visa have requested it? WTF?!
Everyone knows the newspaper industry is struggling to compete with the Internet, but they're really reaching nowadays, emulating the net's security breaches as well..
Slashdot Burying Stories About Slashdot Media Owned
... for an American Express card. :)
Maybe it all fits. Maybe a subscriber would want a new card after their Visa # is everywhere they want to be.
And please tell me there's some kind of criminal statute being violated here. The idea that those numbers would need to ever be printed out en masse is ridiculous; the process of letting those printouts get into the real world is grossly negligent.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
This happens so often, and it is not really surprising. What makes me sad is that there is a much safer way that this could be handled. Rather than giving out credit card numbers your card number being stored by everyone who want's to bill you in a recurring manner the card could instead be a private key, and used to sign a transaction statement. (or even a recurring transaction statement) That way when someone at megaCorp screws up and leaks all of there users CC data all that goes out are a bunch of "I will allow megaCorp to bill me $20 a month" signed statements.
"The company put out a news release late yesterday afternoon"
And on the back of the news release was every subscriber's social security number.
Are there laws for things like this? I've heard of local companies having breaches, and all that comes of it is "oops, sorry. call us and call your credit card companies". shouldn't there be some sort of legal obligation for companies leaking/releasing this information? i don't know anything about health care, but aren't records there kept very confidential? aren't there fines and/or penalties for releasing patient information? shouldn't consumer information be treated the same way?
I'd say that's a very good need to worry.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...when newspapers resort to creating news on a slow day.
Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.
So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to it. The reason it doesn't go straight to accounting is because, in most papers, accounting deals almost exclusively with advertising revenue and billing, which is a lot more complex than 15 bucks a month, or whatever the news subscription rate is, which gets billed automatically.
All that being said, it took some kinda dumbass to dump that info out on the toppers, and a whole crew of dumbasses down the line to attach that information to the paper. Most places don't put anything like personal information on the toppers for papers they're distributing, so it should have been obvious to anyone that there had been a mistake...There are a LOT of people who should have noticed something was wrong.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
From the article on American Exspress:
Apparently the Boston Globe Doesn't comply with the Payment Card Industry standard, found here: http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html
Specifically these sections:
9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials
9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed
nothing
I'm having a really hard time thinking of any way that they could have been more cavalier about this sensitive financial information.
Anyone, anyone? Bueller? Bueller?
If I allow somebody to cache my information, I would hope that they would at least try to protect it, rather than delivering to the world at large!
seriously, that's retarded. how did someone further up the supply chain not catch that?
I'm changing my cable subscriber. I need a solid 2 hours of shark attacks and baseball, plus regular updates about that kitty down the well.
I think they were trying to save some paper by recycling.. errr reusing papers.. heard of "Save paper, use both sides of toilet paper"?
Themselves this time!
Got Code?
Jesus Christ on a pogo-stick... you don't "recycle" some things. Put a cardboard box in each work area that deals with sensitive information for printouts like this, then collect it and effectively shred it. How hard is this?
Most times people leave the bundle toppers on top of the bundle when they toss 'em outta the truck at the drop point...Like, for example, your local gas station, grocery store, doughnut shop, whatever.
Lot of people could have seen 'em
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
So I had to cancel my card and get a new one.
It's too bad the Herald is such a rag or I'd drop my subscription today. Maybe I will anyway and just get my news off the web like everyone else.. but I so love to curl up with my coffee and paper on sunday mornings...
This takes irresponsible to a whole new level. Any company in thier right mind should have shredders/chippers in thier finance department for any waste paper.
Since having your identity stolen is so difficult to recover from I think anyone that has had thier info. sent out should sue if thier identity is stolen. Then the company gets to pay for the next five years of credit cleanup for the person.
Hit'em in the pocketbook and they'll pay more attention.
for any dumpster driving person, imagine all the info you would have got dumpster driving, home delivered!
We recycle a lot of paper, but we don't recycle it BACK INTO THE PRINTER. If nothing else, those high capacity laser printers have a tendency to jam on paper that's already been printed on, and if some motherf***er calls me at 3:30 in the morning because his motherf***ing toppers didn't get printed because some moron loaded the printer with crap paper, trying to save 5 bucks, I would be homicidal.
It's such a major screwup, it's hard for me to see how it couldn't have been done at least partly on purpose. How the hell did all those credit card numbers make it to hardcopy?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Do they take credit cards?
He who knows best knows how little he knows. - Thomas Jefferson
it's called magnetic tape, and DVD backup.
I can tell you with absolute certainty that, in the print media conglomerate that I work for, you will NEVER see hardcopy credit card numbers.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Wait, I thought credit card mis-haps & other sources of fraud and identity theft, only occurred on the Internet. Seriously, it's bad enough we have to spend 20% of our lives shredding our old financial data, but to have a 'supposedly' responsible organization make it all for not?
Worse still, we've now found out (in a round-a-bout fashion) that they been 'recycling' these credit card 'reports'. So that means for countless years, the people have just been 'giving' private/confidential/sensitive information to another company? Depending on who does the recycling, this trash may even be public property (like residential trash taken to the curb). I hope for damn sure they have a contract with this company that dictates the terms of use for this material and that it includes a clause defining the destruction of financial data.
I guess 'Freedom of the Press' has a new meaning now, eh?
I recently got a CD from H&R block to use when doing my taxes. Turns out that H&R accidentaly printed my social security number on the mailing label along with a string of other 'tracking numbers'. They sent a letter appologizing about it and saying that it had happened to a number of their customers. I still wonder why the shipping/printing department at H&R Block would have access to social security numbers at all.
I just hope they double-checked what kind of paper the news releases was printed on !
A million monkeys and this is the best sig they could come up with...
...the newspapers to be wrapped in fish. Different rules in bizarro world.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
It's bad enough that we have to worry about security so poor that personal data backups are transported in personal vehicles and then stolen, or that some companies allow data breaches that result in identity theft... Now they're just giving our important data away?
That's it. I'm just writing my credit card numbers & expiry dates, passwords and PINs on stickies and leaving them on my monitor and in my wallet. That's about equally as secure as giving them to any company these days...
In addition to the phone number that other people have posted, there's a website (no hold time) that you can check to see if you've been exposed. You'll need to supply your home phone number and zip code:
http://www.bostonglobe.com/cclookup
and yes, I'm on the list....
Juiced? Or Not?
I work at a newspaper and know exactly what you are talking about, the accounting-circulation connection (hence the department name "Circulation Accounting") but I'm surprised to hear that the full card numbers were distributed. I would assume that only the most inside of people, because computers handle all of the transactions, could access that information.
For example, whenever a card number is typed into the database and updated it will only show the last four digits to any human. I would assume Circulation Accounting could track down the transaction and find the number that way, but as far as I know the full card number is only given up electronically. What is the point of even having a list of card numbers printed on paper? Why would that even be close to the circulation field staff? I would ask the CIO why the field staff needs credit card numbers.
Then you come to another point - are the carriers working for themselves? If so, then the liability may just fall on that one person. It seems the newspaper is picking up some responsibility so I assume they are employed by the newspaper. Then the question goes back to the IT departments: Why can users access information they do not need?
Almost sounds like someone did it on purpose, you never know.
Get your Unix fortune now!
Now they wrap newspapers with credit card numbers.
How do you like them apples?
Even people that believe in pre-destiny look both ways before crossing the street.
I am continually amazed that these big corporations lose credit card, ssn, and other personal data all the time. Why were these card numbers printed in the first place? Why was the paper recycled or reused and not shredded or professionally destroyed?
They should be required by law to keep the data secure. I would propose the following requirements:
- Credit card and personal inforomation must be stored encrypted or not stored at all.
- Any machines containing cardholder data should be fully equipped with anti-virus, anti-spyware, firewall, etc.
- Printouts should never have the full card number. They should build their reports with just the last 4 digits of the card number or preferably using some other id number like a customer id or subscriber id that means nothing to someone outside of their database. Same thing goes for SSN.
- Printouts with any card or personal info should never leave the building
- Printouts should be under lock and key while they are needed, not just sitting on someones desk.
- Printouts should be shredded or professionally destroyed when they are no longer useful.
- Laptops or other removable media should never leave the building with any useful info.
Ironically, the news release itself was wrapped in paper bearing the Social Security numbers, ages, and (worst of all) current weights and clothing sizes of the paper's subscribers.
This space intentionally left (almost) blank.
https://www.eff.org/https-everywhere
Just do like the Mortgage companies do with all of thier paper waste and have a company like Shred It take care of it.
Just like its corporate parent, the New York Times, the Boston Globe is hemorrhaging readers. Their politics are left wing, they supported Kerry and all the other moonbats. They continue to telemarket randomly even though my number is on the "do not call" list. I've filed a complaint with the FTC about this. That they would be so cavalier about personal information doesn't surprise me. The paper sucks, the management sucks, and they should be euthanized. That's what they do to old horses; the Globe is an old horse.
== First cross river, then insult alligator.
I think the ad provider analyses the text in article and show relevant (!) ads.
:)
You should not miss Microsoft bitching stories, comments on Slashdot, MS ads everywhere
I mean, if OSTG didn't tweak it.
Back in 1994, I ordered some books from an E-mail based company (Walnut Creek or somewhere similar).
The books arrived packaged in a box, with packaging made from horizonyally shredded listings of Oracle customer response center telephone numbers.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
I used to work for a reasonably large computer retail chain. (Not a mom-and-pop strip mall store, mind you, this is a considerably large, multi-state chain.) Until about 6-7 years ago (jeez... has it been that long?) we used to print the customer's credit card number on EVERY receipt in its entirety, including the expiration date. Then we threw the duplicate receipts away in the dumpster. I don't specifically know if any of our customers ever got ripped off, but it was a pretty boneheaded thing to do. Finally someone in upper management got smart and modified the software to print out xxxx xxxx xxxx 5798 on the receipts.
-Arthur
Cave ne ante ullas catapultas ambules
The company put out a news release late yesterday afternoon
Was it wrapped in credit card information too? Or maybe just social security numbers...
You're reading Slashdot. Of course you like Linux and pc hardware
Posted anonymously for obvious reasons.
"Fortunatly for the Boston Globe, all of the said papers were immediately used to line the shoes of bumbs and roll massive crack/turpentine spliffs, Worcester style."
---------
No matter how thin you slice it, its still baloney.
Or $11 million in total.
If you paid by credit card and the info was exposed, you aren't liabile for any fradulent charges. That is thanks to Visa/MasterCard/American Express/Discover offering zero-liability for fraud.
If you see fraud, you don't have to pay for it.
If you are still worred, call the bank and get a new credit card with a new number.
That sounds like something I'd worry about.
BUT NO TERRORISTS WERE HARMED BY THIS INVASION OF PRIVACY:
Credit and bank card numbers of as many as 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette were inadvertently distributed with bundles of T&G newspapers on Sunday, officials of the newspapers said yesterday. . . . In addition, routing information for personal checks of 1,100 T&G subscribers also may have been inadvertently released.
The Globe and T&G, which are both owned by The New York Times Co., share a computer system.
So it's okay, then.
I like to order CDs from CDBaby.com because they say they don't keep your credit card number. I really wish more companies did this. Unless you're signed up for auto-renew or something, why do they even need to keep that kind of information on file? If somebody is so lazy that they want to give up security just because they don't want to have to put in their credit card number again, they deserve what they get.
The newspaper has just received as many as fifty thousands brand new subscriptions from Nigeria! The Center of Excellence in Lagos has ordered 419 copies alone.
In other news the U.S. Navy has just announced that its next Sealwolf-class nuclear attack submarine will be christened "SSN Boston Globe and Worcester Telegram Gazette" in anticipation of further inadvertent personal data disclosure.
My wife got one of these TaxCut CDs, too. The letter (which arrived a week or two before the CD) said the SSN would be "embedded in a very long string of digits" or something, so "don't worry, no one will ever suspect it's your SSN"...but in reality it was just something like "AB333224444" or something.
We found it pretty funny.