Newspapers Wrapped in Credit Card Data

Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."

Why?

[suwain_2]

Why was this information even printed out? I can't think of any reason that they would need to print full credit card numbers out. This sounds like an incredibly foolish thing to have happened.

Re:Heh.

[SatanicPuppy]

I'm not explaining the billing system, I'm just saying why the numbers are available at all.

The way it works here is pretty similar to what you're talking about. Each customer has a unique ID. Now somewhere in the system that ID is connected to their credit card number (if they pay with it), but that part is never accessed by any reporting features. It's just sourced every time a billing request is generated by a weekly billing job in another part of the system. That job runs a charge on the card, and marks down the payment in another area, referenced by the customer ID and containing the date, amount, and transaction ID.

There are two people here who have a high enough level of access to the system to write a report that would merge credit card and user data in a printable form. There are maybe three others who could look up any card they chose, but they couldn't generate any kind of report containing multiple cards. All the printers connected to that system are in a physically secure area.

Basically we never do anything with the credit card number but generate billing with it. It's on no reports. Why would it be? What legitimate use is the credit card number to anyone except the authorized user? I passed the article around down here in the basement, and we all had a good laugh about it (first time we've been happy not to be the globe...heh), and none of us can even IMAGINE a scenario where printed lists of credit cards would be useful for any legitimate purpose.