4 Steps to Follow When Your Credit Card Is Compromised

17 April 2012, 10:47 pm I read and heard the news that Global Payments, a credit card payment processing company, was breached and approximately 1.5 million accounts were compromised. I thought nothing of it, beyond, those folks whose accounts just got compromised just had their day ruined.

Should have been a bit more introspective? On March 31, I received an email from my credit monitoring service, how a negative event had been recorded on my credit report (on April 2 I'd receive another such advisory). Also on Monday, April 2, there arrived a plain nondescript envelope containing a letter which had a card of some sort inside. I sure hoped this was another of those "bring this card in when you open an account and we'll give you $50" direct mail offerings from a local bank. I knew I wasn't going to be so lucky.

The letter starts off: "Enclosed is your replacement Visa card, including a new account number."

The good news continues:

At "your bank," we take your account security very seriously. We have learned that some credit card information from your Visa account may have been compromised at a third-party location? For your protection, your existing Visa account will be closed within seven days of the mailing date of this correspondence.

The letter closes:

You can feel safe knowing that your account comes with exceptional security and protection. With zero liability fraud protection, you won't be held liable for the fraudulent use of your credit card.

My bank acted expeditiously, they truly did do me a service with their prompt action.

Now what do I have to do, and how long will it take me?

The four steps:

1. Activate the new credit card immediately & destroy the old card


2. Call the vendors with whom I have auto-pay and change the account information


3. Check the credit card statement for fraudulent charges and report any to the bank


4. Check the credit report for the next year (and beyond) for spurious credit events (credit cards, loans, liens, etc.)

How much time will this take?
Re #1: 10 minutes tops, even if customer service needs to speak to me directly.
Re #2: It might take an hour or two (or more) to contact all of the vendors with whom I have an automatic recurring charge debited to the credit card. In my house we found we had quite a number and it took us about 2+ hours to get all the various entities squared away. Some vendors did require we appear at their place of business.
Re #3: Continue to check, daily, the credit card statement for fraudulent activities.
Re #4 Review the credit report. See if yours is like mine, I noticed this event was recorded as a NEGATIVE event. And alas, I also noticed the ever-so-slight downward movement of my FICO score (your score's mileage may vary).

Here's how my credit reporting company displayed the event to me:

Once the dust settled, I reviewed all the steps taken. I tried to obtain more data on this specific breach, I contacted Global Payments and asked some basic questions, which I hoped would be able to allow me to determine if their breach was the cause of my credit card being replaced (Answers provided in bold).
1. What was the final number of accounts which were compromised by the unauthorized access to your system? ~1,500,000 per FAQ
2. How many banking institutions (Banks, Savings&Loan, Credit Unions, etc) were affected? No Answer
3. In which states were "breach notification laws" germane to the unauthorized access to your system? No Answer
4. Was this event limited to U.S. cardholders or was this international? Predominately U.S. per FAQ
5. Was your system judged to be compliant with the PCI standards? No Answer
A. What was the date of the most recent compliance certification? No Answer
B. Who or what entity conducted the compliance certification inspection? No Answer
6. Are you offering "credit report" monitoring to all of those whose credit cards have been compromised? Contact your bank per FAQ

Global Payments forwarded to me a link to their crisis FAQ page they created: Global Payments 2012 Info Security Update

Absent any exactness in the answers, I tallied up who was expending efforts and concluded: the issuing bank had expended time and energy; as did the vendors with whom I do business and I too had an expenditure of time and energy. Expenditures all required to clean-up after an entity who lost my credit card data.

Back to Global Payments, the fact VISA suspended Global Payments PCI-DSS certification made sense -- they were breached. And as we all know, "Compliance does not equate to Security." Receiving a certification of compliance demonstrates that at that given point of time the entity was in adherence to the PCI standards in place at that specific time. The threat landscape is dynamic and ever changing requiring those entrusted with our data to take steps beyond compliance to protect that data..

Given a "third party" lost my PCI data, and caused a cascade of events and expenses for others, that there had to be an equitable way to pass through the cost and expenses to the party responsible for the events. I thought I would do a light calculation on the amount of time which was expended: If each individual whose card data was compromised spent 30 minutes and their vendors also spent that same 30 minutes, then Global Payments event alone consumed approximately 1,500,000 of lost and uncompensated labor hours (not including the resources and expenses incurred by the bank, VISA and Global Payments). Quite an expense, quite the loss in a time when our economy can least afford to squander any resources. What recourse may be available?

I'd like to propose VISA, MASTERCARD, AMEX , CITI and others card services levy a $100 fine upon any PCI certified entity which loses customer PCI data. This $100 should pass through directly to the card holder. Why $100? It's not a large amount, while is of sufficient size to send a clear message to any entity which loses a consumer's PCI data. The certification process for PCI-DSS is an industry certification (not governmental). Therefore, if PCI compliant company loses their customer's data, they can can effectively be held both accountable and responsible to those shouldering the clean-up -- or at least at $100 per account.

What do you think of this proposal?

Foxconn Hacked! (Could It Be You?)

15 February 2012, 12:28 am The headline I read said, "Foxconn Hacked," and it shouted out and off the page, the underlying implication being that there might some downstream issues if Foxconn Technology group (part of the Hon Hai Precision Industry of Taipei and one of the largest contract manufacturers on the planet) had their infrastructure invaded, executive email collected and posted, etc. There just might be, but we'll let Foxconn and those who contracted their services noodle on that situation and work through their "all hands on deck" emergency.

Instead, let's focus on how this headline could have featured your company's name instead of Foxconn's, and let this be a teachable moment.

Action Required: Update your device's software! That's it.

All devices that utilize software are subjected to continued review and scrutiny as technological advances may reveal vulnerabilities that the vendor/creator could not have been aware of when the device was sold. Vendors provide revisions, updates and patches to address just this issue. But, if you don't update your software or execute the patch, then you have left open the "window of vulnerability." And that window of vulnerability is no longer one only known to the manufacturer, but is now known to any entity with the motivation to attack you, be they cyber criminals or cyber savvy protesting entities focused on your industry, they are counting on you not to update your software, leaving yourself as "easy pickens."

The headlines read, "Foxconn Hacked," but could it have just as easily had your name instead? Keep you, your company, and your customers safe by staying secure and closing those windows.

See the Guardian piece on the Hack.

Five Tips for a Safer Internet Day 2012

7 February 2012, 3:58 pm This week the EU celebrates another Safer Internet Day 201 (SID2012). I've personally supported this effort over the years as I think the organizers do a fine job of bringing to the forefront good advice on how to stay safe online for parents, schools, communities and our youth. They also provide a plethora of collateral materials to allow you to go as deep as desired on many of the nuances of online safety and security for our youth.

Apropos of SID2012, a few days ago I was involved in a discussion on Facebook with my friend and fellow Privacy and Online Safety advocate, Bethan Cantrell (who also happens to be the IEB/xBox Privacy Manager ) surrounding online safety messaging to our youth. The premise of the discussion was, if you only have 30 seconds, what are the most important items to discuss?

Here are five I believe to be among the most important. What are yours?

1. Friends -- no need to "friend" everyone. Would you invite the entire school -- be it elementary, middle or high -- to your home and pull out the family photo albums and journals from the last few years for everyone to look, copy and retain?

2. Oversharing -- resist the urge to share *everything* about your life within the social networks -- tagged pictures, photos with your name, address, or license plates, your pattern of movement -- to include coordinating children's car pools via Facebook or Twitter.

3. Passwords -- Change them regularly, use them only once for one account. If you use identical passwords across multiple online accounts you are putting the security of all those accounts in the hands of the one with the weakest security architecture. Lose one, and the criminals will find a way to exploit them all. Easy way to remember that was given to me many years ago: Passwords are like toothbrushes; you don't share them and you change them regularly.

4. Privacy Polices -- for parents and young adults -- search every online entity which you associate for their privacy policy and then search for the word "share" -- you'll most likely find how your information will be shared and utilized in this portion of the policy. (hat tip to Rebecca Herold, the Privacy Professor, for sharing this tip during a recent television interview).

5. The computer is for receiving information -- for the very young -- the computer attached to the Internet is where we receive information, not share information. Younger and younger, our children are arriving online and the very young have little or no decision making skills -- keeping it simple puts the correct stance -- don't share anything within their nascent decision making capabilities. (hat tip to Scott Porad, CTO of Cheezburger (for sharing this tip with me some years ago at Gnomedex 2009).

Clearly, this list could grow to the hundreds or thousands as we each hone in on an area of interest. The end goal for you should be, teaching your children how to make online decisions with the same level of detail and scrutiny as they do their off-line (or IRL -- in real life) decisions.

The above were my five; what are yours?

Data Privacy Day -- Version 2012

29 January 2012, 9:42 pm As we draw Data Privacy Month 2012 to a close and celebrate Data Privacy Day on 28 January, we bear witness to a number of new privacy policies which are being presented, dare one say thrust, upon user populations for major online social networks.

Let's look at Google, who in complete transparency has rolled out their new Privacy Policy (effective date March 1, 2012) which states in clear and unambiguous terms: Google collects information. You also give Google information -- i.e. your profile. When you are visiting their services -- they may collect specific information on your device; information with respect to your session -- i.e. IP address; your queries; and cookies. If you turn on your device's GPS, they may collect your exact geographical locale (see "Double Edge Sword of Location Based Services"). Perhaps the most important aspect is how they use your information, with your consent: "We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information." If you are using Google, you want to get in there and look at what information you have provided your consent for Google to share. (Here's Google's privacy page)

Meanwhile over at Facebook, they too have streamlined and rendered more readable their privacy policies. Important to understand is the information they receive about you: You provide info at registration; you also provide information via your posts, photo and videos and tagging activities; they do collate the information others share about you (tagging or on your wall); and those games or applications you use also provides Facebook data about you; and here too, if you provide your location then your location is retained. There is a whole section on that information which you choose to make public -- read it. And they too divulge how your information will be used: to provide you with a better experience; and they too share information with others only when you have provide your consent; given you notice how and what information will be shared; and removed personally identifying information. If you are using Facebook, you want to get in there as well and lock down your privacy settings at the levels commensurate with your comfort level. (Here's Facebook's privacy page)

While there are many other environments, I believe these two are representative of the current state of affairs with respect to user/consumer privacy. Are you content and comfortable with this as the status quo? No? Neither am I.

I'd like to see industry move to an environment where the preferences and identity of the consumer are 100 percent controlled by the individual consumer. In the good ol' days a coupon drawn from the Thursday paper for eggs, and utilized at the supermarket, would provide to the retailer feedback on the marketing medium which brought you into the store (i.e. measurable results); would allow the retailer to determine if the "eggs" were an effective draw, what other goods were also purchased (also measurable). But it wasn't necessary for the individual to reveal their identity for the transaction to occur, for the consumer to receive their goods and for the merchant to be successful.

I want the retailer to provide to me the best possible recommendation, personalize it for me, but without my being required to provide my personal identity to make it happen. Industry must drive to present to me, the consumer, the right service, the right content and the right product at the right time, based on my individualized preferences, which are provided without my individual identity and thus ensuring my privacy. I think we can and should strive to achieve this in 2012 so that Privacy Day version 2013 will be known as the day the consumer had total control of their privacy.

Are Your Health Records at Risk?

18 October 2011, 8:36 pm Last week I read a disturbing headline, "Patients put off treatment due to NHS data breaches," and was rendered slack-jawed. The UK's National Health Service, has according to the UK's Information Commissioner's Office suffered regular data breaches resulting in the loss or mishandling of millions of patient records in 2011. Before we sigh in relief as to how it isn't the U.S. being discussed, know the UK isn't alone in the loss of Personal Health Information (PHI), as throughout the U.S., hospitals and care-givers are losing patient PHI on a far too regular basis. As I discussed in my piece, "Patient Data: The Crown Jewels" in the first half of 2011, more than five million (5,000,000) PHI records were lost or mishandled in the U.S., 100 percent of which were preventable. Meanwhile, in just the last month, we read in SC Magazine's Data Breach Blog how a Delaware pediatric health facility lost data on 1.6 million patients. Then we learned of the astounding loss of approximately five million PHI records of Tricare patients, and we soon arrive at the very worrisome realization; the total is well beyond 11 million PHI records compromised thus far in 2011.

So should we be concerned when more than 3.5 percent of the entire U.S. population has had their PHI compromised? Yes.

A SailPoint Market Plus Survey conducted by Harris Interactive released in September 2011 is instructive and should serve as a barometer of sentiment to the medical profession:

• 29 percent of Americans, 26 percent of Britons and 26 percent of Australians expressed concern their PHI may be exposed on the internet.


• 35 percent of Americans, 33 percent of Britons and 37 percent of Australians expressed concern their PHI may be used for identity theft


• 10 percent of Americans, 14 percent of Britons and 11 percent of Australians expressed concern their PHI would be accessed by staff members not directly related to their medical care.

As the NHS survey in the UK indicates, patients will put off seeking treatment, as they are concerned about the unintended consequences suffered when their PHI may become compromised. This should never be the case.

Notified individuals are now, on medical identity theft alert, and will be for the remainder of their lives. They will need to watch for the exploitation of their PHI and mindful of the very real potential that if their PHI is exploited and used, that their PHI may become corrupted. Healthcare providers will have to take additional steps to ensure that the person they are treating is the person whose records are being referenced.

On the financial side of the equation, there is the breach notification cost which will be borne by the party who lost your PHI. According to the Ponemen Institute, the ultimate cost for each compromised record has reached 214, while the overall organizational average cost in the U.S. at 7.2 million per incident. Oftentimes the individual whose record has been compromised will be afforded credit monitoring services for 90-days. In my opinion, it should be for life, vice 90-days. Why? Your personal identifying information (PII) contained within your PHI has a shelf-life equal to your physical life, not 90 days.

Have we now arrived at the point in obtaining medical care that in addition to looking into the medical practitioner's experience, confirm that they are compliant with HIPAA, that we now must review their data handling policies both electronic and physical in choosing a health care provider?

Welcome your thoughts and comments.

For additional reading:
Patients put off treatment due to NHS breaches (13 October 2011)
Ponemon: Cost of a data breach climbs higher (8 March 2011)
SC Magazine: Data breach log (11 October 2011)
SailPoint Survey Highlights Consumer Fear Over Stolen Personal or Financial Information (20 September 2011)