Slashdot Mirror
Newspapers Wrapped in Credit Card Data
Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."
Why was this information even printed out? I can't think of any reason that they would need to print full credit card numbers out. This sounds like an incredibly foolish thing to have happened.
________________________________________________
suwain_2
Themselves this time!
Got Code?
Jesus Christ on a pogo-stick... you don't "recycle" some things. Put a cardboard box in each work area that deals with sensitive information for printouts like this, then collect it and effectively shred it. How hard is this?
I think a couple of wrestling squid managing the billing and circulation might explain why the Boston Globe was unable to deliver the paper to me when I was a subscriber, and started leaving them on my doorstep whenever I cancelled my subscription (and not just one time).
I am continually amazed that these big corporations lose credit card, ssn, and other personal data all the time. Why were these card numbers printed in the first place? Why was the paper recycled or reused and not shredded or professionally destroyed?
They should be required by law to keep the data secure. I would propose the following requirements:
- Credit card and personal inforomation must be stored encrypted or not stored at all.
- Any machines containing cardholder data should be fully equipped with anti-virus, anti-spyware, firewall, etc.
- Printouts should never have the full card number. They should build their reports with just the last 4 digits of the card number or preferably using some other id number like a customer id or subscriber id that means nothing to someone outside of their database. Same thing goes for SSN.
- Printouts with any card or personal info should never leave the building
- Printouts should be under lock and key while they are needed, not just sitting on someones desk.
- Printouts should be shredded or professionally destroyed when they are no longer useful.
- Laptops or other removable media should never leave the building with any useful info.
Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.
So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to it. The reason it doesn't go straight to accounting is because, in most papers, accounting deals almost exclusively with advertising revenue and billing, which is a lot more complex than 15 bucks a month, or whatever the news subscription rate is, which gets billed automatically.
Um... your description explains why the circulation department needs 1) a unique identifier for each customer and 2) the balance available on their account. You haven't demonstrated why anyone other than one or two people in the billing department would need to have access to the actual credit card or checking account numbers.
If they are using the credit card number as the unique identifier for the customer, that's just dumb, and they deserve censure for setting up the system on such an insecure foundation-- since they have practically gaurenteed some form of security leak.
I'm not explaining the billing system, I'm just saying why the numbers are available at all.
The way it works here is pretty similar to what you're talking about. Each customer has a unique ID. Now somewhere in the system that ID is connected to their credit card number (if they pay with it), but that part is never accessed by any reporting features. It's just sourced every time a billing request is generated by a weekly billing job in another part of the system. That job runs a charge on the card, and marks down the payment in another area, referenced by the customer ID and containing the date, amount, and transaction ID.
There are two people here who have a high enough level of access to the system to write a report that would merge credit card and user data in a printable form. There are maybe three others who could look up any card they chose, but they couldn't generate any kind of report containing multiple cards. All the printers connected to that system are in a physically secure area.
Basically we never do anything with the credit card number but generate billing with it. It's on no reports. Why would it be? What legitimate use is the credit card number to anyone except the authorized user? I passed the article around down here in the basement, and we all had a good laugh about it (first time we've been happy not to be the globe...heh), and none of us can even IMAGINE a scenario where printed lists of credit cards would be useful for any legitimate purpose.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I used to work at the distribution center in New Hampshire, where the various sections of the papers are put together to form the whole paper. Yes, it is a whole crew of dumbasses.