Using A Security Breach As An Upsell Opportunity?

from the shameful dept

Danny Sullivan has a blog post blasting Citibank for how it handled a security breach, requiring him to get a new credit card. Apparently a vendor where Sullivan had used the card had a breach, meaning Citibank sent him a new card. But did they tell him which vendor it was so that Sullivan could avoid doing business with them in the future? Of course not. But much more insulting is that when he went to activate the new card, Citibank tried to upsell him on a credit check offering. As Sullivan notes, shouldn't Citibank be offering that to him for free? It's probably cheaper than having to send out thousands of new cards every time a vendor screws up. Of course, when Sullivan points that out to the person on the phone, the person at the other end says "we're just the activation department, you'd have to talk to customer service for that." Of course, if they're just the activation department, why are they doing sales as well? I'm sure the big banks will claim that these sorts of sales processes work in that enough people are suckered into these high margin upsell offerings, but wouldn't it be nice to have a bank that actually treated customers well?

22 Comments | Leave a Comment..

Making Credit-Card Payments More Secure By Making Breaches More Expensive

from the aligning-incentives dept

It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that's preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren't ignored, though, they're so full of loopholes that they're fairly worthless. As the original poster, Andrew Conry-Murray, puts it, "It's not about security. It's about an industry covering its ass." Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.

Conry-Murray's contention is that the compliance system is far too easy to game, particularly because it only checks companies' systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn't enough to make companies sit up and take notice -- and change their behavior -- there won't be any real change.

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

10 Comments | Leave a Comment..

May Have A New Winner In The Largest Security Breach Ever Department

from the and-it-will-get-larger,-I'm-sure dept

In the past, we've joked about how with pretty much every security breach, there's an initial estimate of the damage done, followed much later by a second report that admits the breach impacted many more people. It happened with the VA. It happened with Choicepoint. And, it happened with TJX, who raised the bar on being the worst security breach ever not once, but twice to impact nearly 94 million people. Who could top that?

Step up to bat, Heartland Payment Systems. Chris writes in to point out that Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough. It appears that Heartland's own computers were infected with malware which passed on information about transactions to some scammers.

Heartland is now claiming that this really isn't that big a deal, because personal information wasn't included in the breach -- meaning the data was useful for creating new cards with bogus data, but not useful for "card not present" transactions such as internet transactions or creating fake cards of real people. Because of this, Heartland doesn't think that it should need to offer credit monitoring services to impacted users, which has become the somewhat standard penance for those caught leaking credit card info.

Of course, some are already questioning the timing of announcing the breach. Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information.

Still, given the history of so many earlier breaches turning out to be much worse later on, what's the over-under on the next announcement about how much worse this breach actually was?

15 Comments | Leave a Comment..