How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.
In which case the kind of information you are most likely to need is that related to your stock. Together with details related to your distribution system. Whilst some kind of statistical information about your customers might be useful it's hard to see how individual customer details are going to be of any possible use. Unless you have such a small number of customers than each one is likely to account for a substantial portion of your business.
I can understand why a hotel would want to keep my information on file for a short while, say a week or two to assure that I've been charged for my visit,
Only if the hotel is using some sort of offline batch system for processing credit card transactions. (Or they still use those carbon paper press things.) If the guest has managed to use a stolen card then the hotel having a record of those card details isn't going to be much help anyway.
or held responsible if I happened to break a lamp or a window
Unless someone checks the room when you leave or at least before the next guest turns up how are they going to know who to charge?
Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault.
It's also rather daft since it complicates matters if they need to deal with customers who don't have SSNs, e.g. corporations.
Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.
The reissuing might have some interesting effects if someone's estate took a long time to be sorted out:)
I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you
Assuming that "contacting you" dosn't result in you avoiding doing business in future. The whole point of a "store" is that customers will generally come their if they want to buy something.
but I think they should get rid of your credit card info after X days/weeks.
Once the transaction is complete then they have no need to keep the credit card details at all.
Posting a story on 9/11 to Slashdot and telling people not to talk about conspiracy theories is a joke.
It's a joke because it's hard to come up with a conspiracy free theory to explain multiple hijackings happening on the same day. (Never mind anything else). Very few people, including the US Government and "mainstream media", have ever mentioned (let alone advocated) anything other than conspiracy theories in relation to "911".
But both are besides the point. Once you've scaled a plane down to smaller than common types of birds, it's effectively invisible anyhow, with the enemy recon plane being indistinguishable from wild-life.
So long as you don't do anything stupid like try to fly it faster than any bird or transmit RF signals. Also the RCS of an object is not a function of size...
There's nothing intrinsic to Linux which would prevent an application running as an unprivileged task in userland hooking into the desktop environment and passing keystrokes to an unknown outside attacker.
Actually there's plenty. Specifically that a Linux admin has absolute control over what happens to the machine and how it happens. How is this application going to get on the machine in the first place? (As an executable file). How is it going to get executed? Especially when the "desktop environment" is a hotel reservation system...
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop;)
It's easier when the relevent tools come as standard. As opposed to third party addons which may or may not actually do the job.
Had Best Western used a 100% secure OS like OS X, none of this would have happened, and they likely would have caught the hacker with their enterprise IDS.
If they'd used a secure setup then they probably wouldn't have caught anyone, since nobody would have gotten into the system in the first place. Even if someone had they'd have been able to do a lot less damage. Certainly not obtain the entire database, possibly only enter bogus reservations. Unless they already knew customer details (possibly customer, hotel and date combinations). A secure system is rather more than just using a secure OS, but using one which is secure "out of the box" makes things rather easier than using one which is effectivly designed to be insecure.
Whilst email appears to be an effective vector for spreading malware with Windows (especially with Microsoft MUAs) dosn't appear to be a single example of it happening with any other OS. With a unix type system an executable attachment would first need to be saved (to a filesystem which supported executables) then have it's permissions changed to allow execution. All of the tricks which can be used on Windows to pretend that an executable file is something else are specific to Windows.
Any employee working from home could have done that.
It's rather easier to set up a very restricted machine for someone to use for homeworking using Linux/MacOS than it is with Windows. Things like ingoing and outgoing firewall rules and it being easy to divorce a VPN client from a user login are very helpful here.
I mean they would do whatever's necessary to protect their shareholders (the owners) from losing their investment.
In the case of a publically traded company you'd probably want to delist them from all stockmarkets as a first action. So as to minimise the possibility that the stockmarket price was lower than the "liquidation value"...
I don't like Best Western very much, even in the US, but this means I will never stay with them again if that's their idea of their customers' best interests. My best interests will best be served with... another hotel.
You probably mean an independent hotel where you can make a booking which does not involve a "cardholder not present" credit card transaction. Otherwise how do you know that Best Western's behaviour isn't "industry standard"?
"Losing data" would be an operational mess for the organization.
Since most of the data concerned had zero relevence to the company's current operations it wouldn't have mattered too much. The only important data they'd have lost would have been future bookings which the relevent hotels hadn't already been informed about. Worst case senario they'd have had to deal with a fairly minor number of overbookings.
Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"
In some cases it's more at the level of "Did they need to store this data at all?". Never mind the question of if they need to store lots of specific data on people who were their customers at some time in the past. Whilst some sort of statistical data might be useful. Knowing the names and addresses of who stayed in a hotel several months ago probably isn't of much use the hotel. There appear to be many cases where storing these kind of details is of little value to either business or customer. e.g. storing credit card details is utterly pointless if the card will expire before any repeat business is likely. It's hardly difficult to give credit card details over the phone or put them into a web form anyway. Any potential benefits of storing the details (even encrypted somehow) are trivial, whilst this risks of criminals getting hold of these details are serious.
best western (doesn't seem to be) very meticulous about quality and security, they're more concerned with marketing.
That probably sums up the majority of corporate IT:)
there's a company (MSI) that we use at my location for everything... and it's pathetic. the full-time night-audit is studying programming (java, sql, c/++/#) on his own and has no end to his list of problems that are juvenile in nature. the system uses udp, to give you an idea. the sql queries take far too long to process on our lan and there are more things that get broken each time something gets fixed with an update.
On a LAN using UDP can actually be faster than using TCP. Especially if there is no IP fragmentation involved. So I suspect your problem is somewhere other than the network.
I'm not a huge fan of MS but what difference does it make what OS the desktop uses, you can just as easily install a trojan on Linux or OS X.
Actually in many cases you can't. Windows has specific "features" of lacking a clear distinction between "user" and "admin" tasks (including such situations as users needing admin privs to run certain applications) and lacking of an execute file permission.
A properly locked down windows system is just as secure as anything else, as usual the weakest link is the user.
Locking down Windows properly is a very hard task. Many Windows admins don't know how to do it and many Windows application developers don't have the first clue.
I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying.
Does a hotel actually need your address? Does your luggage need an address label (especially on the outside)?
When will people learn to give the minimum of personal information that is absolutely necessary ?
Probably when businesses stop asking for the absolute minimum. Even hassling (potential) customers who refuse to give them more than the minimum actually need for the transaction in question. In many cases the minimum can be very minimal.
it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one.
Assuming these laws actually are enforced.
Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.
It also isn't much use in relation to a company in Arizona, USA.
Certainly, I've worked in a few large organisations that have had to encrypt credit card data in databases so that members of staff may not see the data. if Best Western had done this, then the data would have been a bit more secure.
Probably not that much more secure, even if they used something more sophisticated than a Ceaser Cipher.
I highly doubt that the Best Western meets the standards for criminal negligence in this case. In fact, the article mentions that they deactivated the compromised security credentials of the employee in question immediately. That alone suggests that levels of security were present in their information systems. You would seem to suggest that the fact they did means the security did not exist, which is contradictory. The security existed, it was just bypassed or failed in some way.
Reading the article it appears that they deactivated the account when the newspaper told them they had a problem.
I highly doubt that a reasonable person, which would most likely be a network administrator or somebody possessing the requisite skill sets, would conclude that the security measures were that inadequate and that the Best Western had knowledge of that fact. Logon credentials by itself suggest that.
The system was inadequate on several levels. Someone from outside was able to install software on a machine to capture username and password combinations. Installing software on a machine is something which should be very hard, especially without physical access. It was possible to make use of a captured username and password from a remote machine, effectivly the reservation system was open to the entire Internet. If the system were not open to the entire net even having such a username and password would have been useless without also having access to a specific machine.
This username and password (apparently belonging to a data entry clerk) allowed the entirety of a large database to be retrieved. Using this username and password the hackers should only have been able to do the same things the user could do. i.e. adding reservations, looking at/ammending reservations one at a time (if they already knew the customer details), etc. The worst they should have been able to do would be add bogus reservations and possibly cancel a few.
Fine, but if the company did its due dilligence, like say priviliged IT works were promoted from with in after long periods of honest work, or new people were given careful background checks, then its sort of unfair to blame the company.
None of these address the real issue of storing data for considerably longer than it was necessary. Including data which should only have been in the system for a matter of seconds and never written to any non volatile storage.
If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems.
Assuming you notice at all...
That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts, froze the account at more than 10 records per minute or 100 in a day (or whatever number works) then you could make a system that would still allow for a user that gives away his username and password and not make millions of records available for immeditate download.
Which will not prevent any normal uses being able to do whatever they need to do. It will probably work better if you only allow access via a LAN or VPN too.
Compartmentalization is important for security, but never done because it is often inconvenient for the users.
Rather that's the perception, true or not. It's perfectly possible that giving everyone access to everything is inconvenient to users since it results in a clumsy interface with lots of irrelevent information.
This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations.
What do they need this for in the first place? Who keeps the time sensitive part up to date? Unless the employee is driving for the company how are "traffic violations" even remotly relevent? (What about an employee who dosn't even drive to work?)
The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction?
The only details which actually needed to be held in the system would be those of current individual guests for theft/damage. Even for than such information only needs to be available to the specific hotel.
I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and booking changes.
But you don't need credit card data for this. Deposits are typically non refundable and if someone needs to increase their booking they can give card details there and then. Even with a hotel chain it tends to be perfectly possible for a customer to deal directly with a specific hotel too.
We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere.
Such laws arn't even applied to all actual terrorists either. Probably because it's too embarrassing for those in "authority" to admit that not only is terrorism a risk of the level of "freak accidents" (at least in North America and Europe) or that the majority of actual terrorists can't be fitted into the Al Quada conspiracy theory...
Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor?
At least part of the difference is that there is often little effective law enforcement directed at "corporate people". Even when applicable laws actually exist. Even though the economic losses due to "corporate crime" are so large that a dedicated police force would probably pay for itself within a few years.
These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?
Or even something like if a retailer stores credit card details without a good reason they forfit their merchant accounts, charged all costs involved in those credit cards being reissued, are denied access to any other bank accounts for a month, etc.
Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!
In many cases the information is of little use to either the customer or the business. Even though it might be very valuable to criminals. A basis of effective data protection is "Don't collect and store it, unless you absolutly need to". However even places which have strong data protection laws tend to lack effective enforcement.
Slashdot Mirror
They may just like sun on their backs and not in their eyes.
Maybe not having the sun in their eyes makes it easier to spot predators.
Anyway it should be quite easy to test if cattle have a magnetic sense.
How about tracking progress of a product line. They see that while a product is still selling strongly they may find that some areas stopping and spreading thus time to change the product or offer services to extend the product. Or change the shipment quanties around so one location isn't overstocked and the other has a stock out.
In which case the kind of information you are most likely to need is that related to your stock. Together with details related to your distribution system. Whilst some kind of statistical information about your customers might be useful it's hard to see how individual customer details are going to be of any possible use. Unless you have such a small number of customers than each one is likely to account for a substantial portion of your business.
I can understand why a hotel would want to keep my information on file for a short while, say a week or two to assure that I've been charged for my visit,
Only if the hotel is using some sort of offline batch system for processing credit card transactions. (Or they still use those carbon paper press things.) If the guest has managed to use a stolen card then the hotel having a record of those card details isn't going to be much help anyway.
or held responsible if I happened to break a lamp or a window
Unless someone checks the room when you leave or at least before the next guest turns up how are they going to know who to charge?
Nobody needs to store SSN's except the government that issues them. The fact that people made the MISTAKE of standardizing on SSN's as primary keys for users to begin with is their own fault.
:)
It's also rather daft since it complicates matters if they need to deal with customers who don't have SSNs, e.g. corporations.
Mainly because SSN's are horrible primary keys since they REPEAT!!! Yes look it up... they DO get reissued after death and with longterm storage, this will only cause issues for storage of personal data.
The reissuing might have some interesting effects if someone's estate took a long time to be sorted out
I could also see the benefit of some stores keeping some light data on you (name, address, phone) so they can contact you
Assuming that "contacting you" dosn't result in you avoiding doing business in future. The whole point of a "store" is that customers will generally come their if they want to buy something.
but I think they should get rid of your credit card info after X days/weeks.
Once the transaction is complete then they have no need to keep the credit card details at all.
I've got a better idea. Ban the collection of personal information beyond the time required for the transaction.
Which may well mean that it dosn't need to be stored in the first place.
I don't but it that companies somehow need to store all this info on people especially years after the transaction has occurred.
In many such cases the data collected is of little value to the company concerned. It's only of great value to criminals.
Posting a story on 9/11 to Slashdot and telling people not to talk about conspiracy theories is a joke.
It's a joke because it's hard to come up with a conspiracy free theory to explain multiple hijackings happening on the same day. (Never mind anything else).
Very few people, including the US Government and "mainstream media", have ever mentioned (let alone advocated) anything other than conspiracy theories in relation to "911".
But both are besides the point. Once you've scaled a plane down to smaller than common types of birds, it's effectively invisible anyhow, with the enemy recon plane being indistinguishable from wild-life.
So long as you don't do anything stupid like try to fly it faster than any bird or transmit RF signals. Also the RCS of an object is not a function of size...
There's nothing intrinsic to Linux which would prevent an application running as an unprivileged task in userland hooking into the desktop environment and passing keystrokes to an unknown outside attacker.
;)
Actually there's plenty. Specifically that a Linux admin has absolute control over what happens to the machine and how it happens.
How is this application going to get on the machine in the first place? (As an executable file). How is it going to get executed? Especially when the "desktop environment" is a hotel reservation system...
You could significantly reduce the risk, however, by reducing how much access each user has to various systems, firewalling between departments and blocking not just incoming traffic but also outgoing traffic at the border, only allowing known-good traffic to pass.
This exact same technique works equally well regardless of what OS you use on the desktop
It's easier when the relevent tools come as standard. As opposed to third party addons which may or may not actually do the job.
Had Best Western used a 100% secure OS like OS X, none of this would have happened, and they likely would have caught the hacker with their enterprise IDS.
If they'd used a secure setup then they probably wouldn't have caught anyone, since nobody would have gotten into the system in the first place. Even if someone had they'd have been able to do a lot less damage. Certainly not obtain the entire database, possibly only enter bogus reservations. Unless they already knew customer details (possibly customer, hotel and date combinations).
A secure system is rather more than just using a secure OS, but using one which is secure "out of the box" makes things rather easier than using one which is effectivly designed to be insecure.
No matter the OS, someone opened a bad e-mail.
Whilst email appears to be an effective vector for spreading malware with Windows (especially with Microsoft MUAs) dosn't appear to be a single example of it happening with any other OS. With a unix type system an executable attachment would first need to be saved (to a filesystem which supported executables) then have it's permissions changed to allow execution. All of the tricks which can be used on Windows to pretend that an executable file is something else are specific to Windows.
Any employee working from home could have done that.
It's rather easier to set up a very restricted machine for someone to use for homeworking using Linux/MacOS than it is with Windows. Things like ingoing and outgoing firewall rules and it being easy to divorce a VPN client from a user login are very helpful here.
I mean they would do whatever's necessary to protect their shareholders (the owners) from losing their investment.
In the case of a publically traded company you'd probably want to delist them from all stockmarkets as a first action. So as to minimise the possibility that the stockmarket price was lower than the "liquidation value"...
I don't like Best Western very much, even in the US, but this means I will never stay with them again if that's their idea of their customers' best interests. My best interests will best be served with ... another hotel.
You probably mean an independent hotel where you can make a booking which does not involve a "cardholder not present" credit card transaction. Otherwise how do you know that Best Western's behaviour isn't "industry standard"?
"Losing data" would be an operational mess for the organization.
Since most of the data concerned had zero relevence to the company's current operations it wouldn't have mattered too much. The only important data they'd have lost would have been future bookings which the relevent hotels hadn't already been informed about.
Worst case senario they'd have had to deal with a fairly minor number of overbookings.
Most of the time, when I read a story along these lines (lost data, stolen data, client personal details incl. credit info), I have to ask myself "do they really need to archive all this data on their customers?"
In some cases it's more at the level of "Did they need to store this data at all?". Never mind the question of if they need to store lots of specific data on people who were their customers at some time in the past.
Whilst some sort of statistical data might be useful. Knowing the names and addresses of who stayed in a hotel several months ago probably isn't of much use the hotel.
There appear to be many cases where storing these kind of details is of little value to either business or customer. e.g. storing credit card details is utterly pointless if the card will expire before any repeat business is likely. It's hardly difficult to give credit card details over the phone or put them into a web form anyway. Any potential benefits of storing the details (even encrypted somehow) are trivial, whilst this risks of criminals getting hold of these details are serious.
best western (doesn't seem to be) very meticulous about quality and security, they're more concerned with marketing.
:)
That probably sums up the majority of corporate IT
there's a company (MSI) that we use at my location for everything... and it's pathetic. the full-time night-audit is studying programming (java, sql, c/++/#) on his own and has no end to his list of problems that are juvenile in nature. the system uses udp, to give you an idea. the sql queries take far too long to process on our lan and there are more things that get broken each time something gets fixed with an update.
On a LAN using UDP can actually be faster than using TCP. Especially if there is no IP fragmentation involved. So I suspect your problem is somewhere other than the network.
I'm not a huge fan of MS but what difference does it make what OS the desktop uses, you can just as easily install a trojan on Linux or OS X.
Actually in many cases you can't. Windows has specific "features" of lacking a clear distinction between "user" and "admin" tasks (including such situations as users needing admin privs to run certain applications) and lacking of an execute file permission.
A properly locked down windows system is just as secure as anything else, as usual the weakest link is the user.
Locking down Windows properly is a very hard task. Many Windows admins don't know how to do it and many Windows application developers don't have the first clue.
I always give the hotel a business address - like that some criminal does not know where to go while I am at the hotel. I do the same with labels attached to luggage when flying.
Does a hotel actually need your address? Does your luggage need an address label (especially on the outside)? When will people learn to give the minimum of personal information that is absolutely necessary ?
Probably when businesses stop asking for the absolute minimum. Even hassling (potential) customers who refuse to give them more than the minimum actually need for the transaction in question. In many cases the minimum can be very minimal.
it's easy. Europe, and member states have strict data protection laws, Best Western have broken more than one.
Assuming these laws actually are enforced.
Certainly, in the UK directors of a company are responsible for data protection and could be criminally responsible - although this has not been tested in court.
It also isn't much use in relation to a company in Arizona, USA.
Certainly, I've worked in a few large organisations that have had to encrypt credit card data in databases so that members of staff may not see the data. if Best Western had done this, then the data would have been a bit more secure.
Probably not that much more secure, even if they used something more sophisticated than a Ceaser Cipher.
I highly doubt that the Best Western meets the standards for criminal negligence in this case. In fact, the article mentions that they deactivated the compromised security credentials of the employee in question immediately. That alone suggests that levels of security were present in their information systems. You would seem to suggest that the fact they did means the security did not exist, which is contradictory. The security existed, it was just bypassed or failed in some way.
Reading the article it appears that they deactivated the account when the newspaper told them they had a problem.
I highly doubt that a reasonable person, which would most likely be a network administrator or somebody possessing the requisite skill sets, would conclude that the security measures were that inadequate and that the Best Western had knowledge of that fact. Logon credentials by itself suggest that.
The system was inadequate on several levels.
Someone from outside was able to install software on a machine to capture username and password combinations. Installing software on a machine is something which should be very hard, especially without physical access.
It was possible to make use of a captured username and password from a remote machine, effectivly the reservation system was open to the entire Internet. If the system were not open to the entire net even having such a username and password would have been useless without also having access to a specific machine.
This username and password (apparently belonging to a data entry clerk) allowed the entirety of a large database to be retrieved. Using this username and password the hackers should only have been able to do the same things the user could do. i.e. adding reservations, looking at/ammending reservations one at a time (if they already knew the customer details), etc. The worst they should have been able to do would be add bogus reservations and possibly cancel a few.
Fine, but if the company did its due dilligence, like say priviliged IT works were promoted from with in after long periods of honest work, or new people were given careful background checks, then its sort of unfair to blame the company.
None of these address the real issue of storing data for considerably longer than it was necessary. Including data which should only have been in the system for a matter of seconds and never written to any non volatile storage.
If you can break one account and download millions of records before anyone notices and you allow all that anonymously over the Internet, then I'd say there are some systemic problems.
Assuming you notice at all...
That is by far the easiest way to do it, but also the least secure. If any single user account gets hacked, the entire database is open for quick and easy download. But, if you had people go through a front-end that only fed one record at a time, logged all records presented to which accounts, froze the account at more than 10 records per minute or 100 in a day (or whatever number works) then you could make a system that would still allow for a user that gives away his username and password and not make millions of records available for immeditate download.
Which will not prevent any normal uses being able to do whatever they need to do. It will probably work better if you only allow access via a LAN or VPN too.
Compartmentalization is important for security, but never done because it is often inconvenient for the users.
Rather that's the perception, true or not. It's perfectly possible that giving everyone access to everything is inconvenient to users since it results in a clumsy interface with lots of irrelevent information.
This is why I am resisting my company's new policy of storing online and in a filing cabinet every employees credit report, retail theft report, criminal check report, fingerprints, passport, birth certificate and self declaration of any crimes for the last 7 years including minor traffic violations.
What do they need this for in the first place? Who keeps the time sensitive part up to date? Unless the employee is driving for the company how are "traffic violations" even remotly relevent? (What about an employee who dosn't even drive to work?)
The neglect is in the data being still available for the criminals to gain after a year has passed. How long do you need to process some credit card transaction?
The only details which actually needed to be held in the system would be those of current individual guests for theft/damage. Even for than such information only needs to be available to the specific hotel.
I would not complain (that much) if a month's worth of customer data was stolen. You need this information for possible complaints and booking changes.
But you don't need credit card data for this. Deposits are typically non refundable and if someone needs to increase their booking they can give card details there and then. Even with a hotel chain it tends to be perfectly possible for a customer to deal directly with a specific hotel too.
We're getting "anti-terror" laws that cut away our civil liberties piece by piece, despite little to no terrorist activity anywhere.
Such laws arn't even applied to all actual terrorists either. Probably because it's too embarrassing for those in "authority" to admit that not only is terrorism a risk of the level of "freak accidents" (at least in North America and Europe) or that the majority of actual terrorists can't be fitted into the Al Quada conspiracy theory...
Yet we have "data loss" on an almost weekly base and nothing happens. Could anyone tell me why those companies are still in business? When did criminal neglect become less than a misdemeanor?
At least part of the difference is that there is often little effective law enforcement directed at "corporate people". Even when applicable laws actually exist. Even though the economic losses due to "corporate crime" are so large that a dedicated police force would probably pay for itself within a few years.
These companies cause problems to their customers by their careless handling of personal and financial data. At the very least, they subject their customers to the threat that their credit card data is in the hands of a criminal, ready to use it whenever they please. When are we going to see some laws that mean consequences if you can't handle your customers' data?
Or even something like if a retailer stores credit card details without a good reason they forfit their merchant accounts, charged all costs involved in those credit cards being reissued, are denied access to any other bank accounts for a month, etc.
Every company is very keen to collect everything about you, from your favorite dish to your shoe size, but they can't be bothered with the task to keep this information secure? If you can't keep info secure, don't collect it, dammit!
In many cases the information is of little use to either the customer or the business. Even though it might be very valuable to criminals. A basis of effective data protection is "Don't collect and store it, unless you absolutly need to". However even places which have strong data protection laws tend to lack effective enforcement.