Hannaford data breach – almost 2000 cases of fraud reported

Many sources are reporting on a data breach in the US Hannaford retail chain where customer credit and debit card numbers were exposed by some sort of intrusion into their computer systems. Unfortunately, this kind of report is all too common.

What I find interesting is the message to their customers by their CEO. He states in part:

Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.

We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.

So how are credit and debit card numbers not “personal information”?

Read a report on StorefronBacktalk

Read the Hannaford statement

Be smart about data

For the London Free Press – September 4, 2007

Read this on Canoe

Excited to head back to school with a shiny new notebook computer? A few precautions will lessen the risk that using that computer will lead to trouble.

– Wireless Internet connections are great, but information can be stolen from notebooks while they’re online. For information thieves, it can be as simple as finding someone online using an unsecured wireless network.

If you connect to the Internet using a Wi-Fi network, make sure you use an official one, such as your official university or college Wi-Fi site. Some unofficial Wi-Fi networks are rogue “smurf” sites that allow others to steal personal information or upload viruses on your wireless device.

– Downloading from the Internet also makes you vulnerable to computer viruses — so make sure you have adequate virus protection. The hassle, time and expense of removing a virus is not worth the risk of going without it.

Downloading music (but not video) is generally felt to be legal in Canada — but offering commercial music or video to others and posting it to the Web can easily cross legal lines. The entertainment industry pays close attention to campus networks and users so don’t make yourself a target.

Students should remember to use the Internet as a research tool, not a photocopier. Copyright laws do give wider latitude to copy for academic papers than for commercial works. That is a different issue than plagiarism, however. Always be sure to cite any material taken from the Internet and never try to pass off someone else’s material as your own.

– For those who will stay in touch with friends and family through online networking sites such as Facebook, remember your information is available for others to see. A general rule of thumb is that if you wouldn’t want a prospective employer to see it, it’s best to keep that information to a more private venue.

– Always use effective passwords on e-mail accounts and other access points. In a crowded campus building, protect your notebook and your information by requiring a password to be entered after a few minutes of inactivity. Make sure you choose passwords that are not obvious, and don’t share them with others.

Saving passwords for websites on your computer can be convenient, but it might not be worth the risk if you leave your computer turned on and unattended. If you use an open Internet network, saving passwords on your computer may enable a savvy computer hacker access to banking and other records.

– Computers aren’t the only risks students should be cautioned about. Many students will use debit cards, credit cards or student cards that have been pre-loaded with money. It is important to keep the cards in your possession, keep any PINs secret, and review your card balances or statements regularly to ensure nobody is spending your money.

Get used to guarding your credit card numbers and debit card PINs. Check receipts to make sure they don’t print the full card number, and don’t leave them lying around. Never throw anything containing personal information in the trash — always shred or destroy it.

Being aware of these risks and taking simple precautions will ensure students can concentrate on more important matters, such as the tomorrow’s midterm or Friday’s toga party. Not everyone is out to steal your personal information or your money, but it’s worth taking steps to protect yourself.

Stop printing credit / debit card #’s!!!

The Toronto Star has an article today entitled Credit card slip-ups can carry a cost that talks about the fact that merchants still print debit and credit card numbers on receipts even though it violates privacy laws and card issuer rules.

Columnist Ellen Roseman suggests taking the approach offered by Visa – complain to your card issuer with the detals of the merchant name, location, and date. Also cross off the numbers from merchant copies of your receipts (I do that all the time.)

This is a pet peeve of mine. I don’t understand why merchants do this. It serves no purpose, violates privacy laws, is a fraud risk, and puts the merchant at risk. Another concern of mine is do they keep it electronically, which is just as bad.

For more info on this topic click on “debit card” or “credit card” in my tag cloud.

Read the Toronto Star article

Credit Card numbers on receipts – US lawsuits

Evan Schuman’s StorefrontBacktalk has an article about attempts to pursue legal action in the US against retailers who print credit/debit card numbers on receipts. Evan says the Fair and Accurate Credit Transactions Act (FACTA) that makes it illegal for a retailer to print more than the last five digits or a credit/debit card number and it also forbids printing the card’s expiration data on that receipt.

I have not written about this for a while – but this is an issue that continues to bother me. It violates privacy laws in Canada to print full numbers on either the customer or retailer copies – but it happens all the time. And some print too much of it, or print the first several digits, or print them on the retailer copy but not the customer copy. When various retailers print various parts of the numbers it makes it too easy to combine them back together.

The other thing that concerns me is what part of those numbers and other info the retailer keeps on their systems. There is no reason to print or keep those numbers.

There have been many incidents where paper containing credit card numbers have shown up in the wrong place (dumpsters, alleys) or in the wrong hands (fraudsters), or where electronic records have been similarly compromised.

So I fail to understand why any retailer would risk that happenning to them. After all, the best way to protect against personal information being misused or lost is to not have it in the first place.

Take a look at the posts linked to “credit cards” in my tag cloud to see earlier posts on the subject, including a letter from the Ontario Privacy Commissioner for a year ago sent in response to an article I wrote on the subject.

We need to put pressure on retailers to get this right.

Read Evan’s article about the US lawsuits

Reader comment on printing debit / credit card numbers on receipts

A US resident who suffered credit card fraud while in Montreal sent me an email to comment on my article saying that merchants should not print debit or credit card numbers on receipts.

UPDATE: See relevant comments from a US counsel, and by David Fraser of The Canadian Privacy Law Blog

I have mentioned this issue many times. Click on “debit card” or “credit card” in my tag cloud to see earlier entries on the subject. The privacy commissioners agree, and the major credit card issuers agree, but it still happens all too often.

The email says:

Mr. Canton,

After a long weekend dealing with my bank regarding an issue of credit card fraud I came across your article. I thought I would let you know this really does affect people and not necessarily who you would think. I visited Montreal a year ago for a conference; I used my check card at two stores. This weekend my check card was used in Montreal for roughly $6,000 worth of attempted purchases. I was of course not in Montreal this weekend I was at home in ***********. The bank was very good about stopping the transactions and freezing the card, I won’t be liable for any of the charges. But after dealing with it, I wondered how this could have happened. I hadn’t lost my card; I still have it in my wallet in fact. I don’t use it for online purchases. Then I thought, well I still have the receipts from the trip because it was for a business trip. I reviewed the receipts today, much to my surprise they have my name, full credit card number and expiration date on them. I am certain that this is how my card was used. I was shocked to find my full credit card number on a receipt. This is not done in the US at all. I cannot believe that businesses are foolish enough to do this let alone allowed to do this. I sent an email to the Commission d’acces a L’information du Quebec regarding the matter at: cai.communications@cai.gouv.qc.ca and pointed them to your article. I just thought you might find this interesting. Thanks for your time.

Card receipts in trash – stop printing numbers!!!

David Fraser has a post telling about a dumpster in BC that was full of credit card receipts with card numbers and names. They were intended to go to the shredder.

Businesses must stop printing credit or debit card numbers and cardholder names on receipts – both the customer and their own copy. There is absolutely no need to do that – it breaches privacy laws – and increases the risk of fraud.

This is a pet peeve of mine, and of David Fraser. The Ontario Privacy Commissioner agrees – as evidenced by a letter she sent me a while back in response to a column I wrote. The credit card companies have policies that say they should not be printed.

So its beyond me why it still happens so often.

Read David’s post

Read an article of mine on the topic

Read the privacy commissioner’s response

Privacy commissioner responds to debit/credit card article

Ann Cavoukian – the Ontario Privacy Commissioner – sent me a letter following my recent newspaper article saying merchants should not print debit or credit card numbers on receipts. My article referred to an Alberta privacy decision.

That is a practice I believe violates privacy laws – but full numbers are printed far too often.

The commissioner says: I wanted you to know that I feel strongly about the privacy issues raised in this case, since it clearly illustrates the risks to individuals arising from the poor information management and security practices of arganizations.

Attached to the letter are summaries of Mastercard and Visa policies for truncating numbers, and US national standards. In the long run, those are all good news – the issue is one of timing.

The letter is a good read for anyone interested in the issue.

In the meantime, continue to mention the issue to merchants that print the entire number.

Read the Privacy Commissioner’s letter

Read my article

Printing card data not smart

David Canton – for the London Free Press – May 20, 2006

Read this on Canoe

Next time you make a purchase, look at all copies of the credit or debit card receipt. They shouldn’t, but often do, show your entire credit or debit card number.

Printing those numbers on the customer or merchant copy is dangerous if receipts fall into the wrong hands.

That happened at a beauty supply store in Edmonton, Alta. Receipts bearing debit and credit card numbers were discarded in a dumpster behind the store and retrieved by criminals searching for private information. As a result, a customer was the victim of credit card fraud.

Alberta’s privacy commissioner got involved when Edmonton police were tipped off that confidential client information was being improperly disposed of by the store. The tipster gave the police receipts from the dumpster as proof.

Police recovered more than 2,600 customer credit and debit card sales transaction receipts. Thousands of clients had been put at risk of fraud, identity theft and other privacy violations.

The commission found that the store had not adequately protected its customers, and made recommendations on how it could do better.

First, it recommended the store implement a system to abbreviate the credit and debit card information that gets printed on receipts.

It also recommended the store secure the receipts while they were on the premises, destroy them by shredding or other means before disposal, dispose of them only in locked garbage bins and trash cans and keep a log of who had access to them.

The commission stressed the importance of teaching all employees about the need to protect clients’ privacy.

Unlike the Alberta Privacy Commission, the federal privacy commissioner has yet to address the issue of printing credit and debit card data on receipt. While the Alberta privacy legislation is different than the PIPEDA legislation that applies in Ontario and other provinces, there is no reason to believe the outcome would be different.

Businesses protecting their customers in this way also safeguard their own interests. No business wants to face a privacy investigation, or to expose its customers to credit or debit card fraud.

There is no need to print full debit or credit card numbers on either merchant or client copies of receipts. By the time the receipt is printed, the bank or credit card company has already OK’d the transaction.

The next time you see your debit or credit card number on either your own or the merchant’s copy, complain to the merchant. If their practice does not change, complain to the privacy commissioner.

NOTE: See David Fraser’s comments about this

Privacy Decision – printing credit/debit card numbers on receipts

I have long maintained (as has David Fraser) that printing full debit or credit card numbers on store receipts – both customer and store copies – is a bad idea, and a violation of privacy laws.

Thanks to David for pointing out on his Canadian Privacy Law Blog a recent decision of the Alberta Privacy commissioner that supports this.

An Edmonton company printed full card numbers, then disposed of them in a dumpster. They were then obtained and used for fraudlent purposes.

The commissioner found a number of things wrong – including the printing of the numbers.

The decision is a good read for any retailer as it sets out proper practices for handling credt and debit card information.

Read David’s post

Read an earlier article of mine on the topic

Privacy: torn credit card applications, torn careers

A couple of interesting privacy matters.

First, the former Canadian privacy commissioner, George Radwanski, has been charged with fraud and criminal breach of trust. He resigned in 2003 after the Auditor General raised allegations of misspending and other behaviour inconsistent with his position.

David Fraser’s blog has links to articles with more detail.

Second, Slashdot has a post telling about a person who, as an experiment, tore a credit card application he got in the mail into little pieces, changed his address to his parents address, put his cell # on the app, and submitted it. Take a look at the link on the Slashdot post to see photos of the actual application.

Sure enough, a credit card arrived shortly.

Truly bizarre that a taped together application, especially with altered information, would be accepted.

2 lessons from that. No business should accept that kind of application. And everyone should invest in a cross-cut shredder. Shred absolutely everything you dispose that contains your name or any kind of personal information.

Read David Fraser’s post on Radwanski charges

Read the Slashdot post about the torn app