Rebollo would then sell these "leads" to another man,Wahid Siddiqi, for $500 per batch. The FBI says that Mr. Rebollo admitted that he profited approximately $50,000 to $70,000 from selling the data, which included the Social Security numbers of as many as 2 million mortgage applicants.

The LA Times says:

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a [Countrywide] computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.

At that rate, the U.S. attorney's office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each — an astonishingly small amount considering the importance of the material. Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made.

To top it off, not only was this guy selling his customers SSNs, he wasn't even very good at it, said Beth Givens, director of the Privacy Rights Clearinghouse:

"This guy obviously didn't do his homework. He doesn't know the value of these on the black market," she said.

Countrywide insider stole mortgage applicants' data, FBI says [LA Times](Thanks, Alison!)
(Photo: So Cal Metro )

Kieber reportedly sold three CD's full of names and data to tax authorities to 12 countries including Germany, Great Britain, France, Italy and the United States.

Tax authorities in Italy published the full list of names.

In Germany, the disclosures led to the arrests of several prominent CEO's on charges that had evaded millions of dollars in taxes.

A former UBS private banker, Bradley Birkenfeld, has agreed to a plea deal and is reported to be cooperating with US authorities in bring charges against American citizens on tax evasion charges.

The Liechtenstein bank, LGT, is owned by the tiny country's ruling family led by Prince Hans-Adam II.

Kieber's Washington lawyer, Jack Blum, says Kieber should be considered a whistleblower and a hero, not a thief, for revealing how the super rich hid billions of dollars using the Liechtenstein bank.

Whatever you think of thieves (we're not fond), you have to admit that it takes serious balls to be comfortable pissing off a fairly large percentage of the world's super-rich and powerful tax evaders.

Day of Reckoning? Super Rich Tax Cheats Outed by Bank Clerk [ABC News]

For example, Des Moines, Iowa is big enough to have an Apple store — but there's no 3G coverage yet. (If you're wondering what 3G is, you can click here.) Without 3G coverage the new iPhone will use the more widespread EDGE network, and you won't see an improvement in speed.

You can check out AT&T's data coverage map by clicking here. Zoom in to see if there's 3G coverage in your area. Silicon Alley Insider also has a good map that you can check out.

Where Apple's New iPhone Doesn't Help: AT&T's 3G Dead Zones [Silicon Alley Insider]
AT&T Coverage Map [AT&T]

• $10 off a purchase of $50 or more
• $20 off a purchase of $100 or more
• $30 off a purchase of $150 or more

Stein Mart seems to think that when it comes to bad security, intention makes all the difference:

A representative for Stein Mart said the company is not aware that anyone's identity was stolen and that the company was a month away from having all their printing procedures corrected.

If you're really interested in those coupons, check out steinmartsettlement.com.

[WSMV Nashville] (Thanks to Martin!)
(Photo: Getty)

Reader Adam writes in to let us know his relative found a working Dell computer in the dumpster at his office complex. It appeared to be in functional condition, so he took it home. Sure enough, it took only a bit of tweaking before it was back to working order—as a Curves Fitness employee and customer information smorgasbord.

Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.



I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].

Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise's actions were inappropriate and they'd get in touch with the franchise.



Dear Curves, Respect Your Client and Employee

Mike writes to Best Buy:

Our home computer was infected by a Trojan that had seriously slowed down our service and had recently caused the computer to cease running a crucial process. When we took the CPU into the Geek Squad, they suggested that our best option was to have them back up the hard drive, and for us to then run the computer’s Restore disc at home.

We were asked to fill out a form that contained the absolute minimum that must be backed up. I listed on that form 3 folders of personal documents and a single Word document that resided on the computer’s desktop. However, we were then informed that the best way to absolutely ensure the Geek Squad’s ability to back up our entire hard drive would be to purchase an external drive whose capacity was at least as large as our computer’s. We thus purchased for approximately $95 a 500 GB external hard drive on which to back up an 80 GB computer.

The process, we were told, would take 2 to 3 days. After 5, we were finally told that our computer was ready.

Having picked up the CPU and brought it home, I checked the contents of the external hard drive before running the restore disc. At this time I discovered, firstly, that only the bare minimum had been backed up—the three folders and one document that we had indicated on the form. Since I had purchased the 500GB hard drive specifically because I was told that this would with certainty allow the Geek Squad to back up the entire hard drive, this was extremely frustrating.

However, the situation almost immediately graduated from frustrating to infuriating. One of the three folders I had marked on the form was the “My Documents” folder. The icon for this folder on the hard drive indicated that the file size was 1 KB. The technicians at Best Buy had NOT backed up the “My Documents” folder, as I had requested: they had backed up only the shortcut. None of the files within the folder had actually been transferred.

There is an expectation upon the part of the consumer that Best Buy’s computer technicians know what they are doing. The fact that they were not tipped off by the “1 KB” notation that I noticed immediately suggests precisely the opposite: that the Geek Squad at Best Buy on 14th Street are lazy at best, incompetent at worst.

I am extremely unhappy. I spent all night last night backing up the computer myself—a service I paid for rather handsomely, and for which I received LESS than the absolute-last-resort minimum that I had indicated on my paperwork. But my biggest regret in this entire fiasco is that I did not avail myself of the Best Buy Geek Squad’s long history of complaints and dissatisfied customers. I might then have saved myself a great deal of time and trouble.

Please be assured that I will not patronize Best Buy again.

Thank you.



Mike

Kudos to you for not waiting until after you nuked your hard drive to check the external. If Best Buy doesn't offer a refund for the services they did not perform, we wouldn't hesitate to contact our credit card company and request a chargeback.

(Photo: The Joy Of The Mundane )

In case you needed more evidence that Direct Marketing Services isn't exactly a top-of-the-line company when it comes to data security, management, or customer relations, the breach wasn't even discovered internally:

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.

After the story broke last week, the company announced plans to contact the victims of the breach.

Direct Marketing Services says it now plans to contact the victims of the breach, but of course that's only to avoid further bad press now that the story has broken. Fortunately, they contacted credit card companies when they were first notified of the breach, so the industry has been monitoring suspect accounts and/or issuing new cards as needed. If you shopped at the Montgomery Wards website and found your Discover, for example, you may have been a victim. Congrats.

So why wasn't it reported? Because it's financially more rewarding to flout the regulations that require it if you're dealing with online transactions:

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order. Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

You know what would make for some good PR? If an online company stepped forth and made a commitment to reveal data breaches in a timely manner, and hired an outside auditing firm to enforce said pledge. Instead, we'll start the countdown to a class action lawsuit against Direct Marketing Services.

"Wards didn't tell consumers about credit card hack" [Associated Press]

Chelsea writes:

I've had Sprint service for seven years because I receive a state employee discount, and it's been pretty smooth sailing. Luckily when I renewed my plan in May, I was paired with a sales manager who seemed both friendly and efficient. Going through my first bill I noticed four incorrect charges, including mysterious internet usage and a late fee, despite the fact I've been on automatic payments for years. I emailed Sprint about these charges and promptly received a long and apologetic response from someone named Steffi. She credited all of the charges and informed me of a way to block internet access altogether. This all was great, so I wanted to express some gratitude:

Thank you for responding so quickly. I really appreciate your help with this invoice. If there's no charge in preventing internet access, I would like that to be applied.

You know, there's a lot of Sprint hatred out there, but I've never had a huge problem with anyone. Seeing weird charges on my bill had me worried, but I'm happy to see Sprint sticking to their word to provide good customer service.

Thanks again.

Soon after that email, I received this reply:

Thank you for contacting Sprint.

I appreciate you taking time out of your busy schedule to write



regarding the excellent service you received. Our goal is to serve you



with world-class customer service, and feedback from customers like you



is a great source of motivation in our endeavor to achieve that goal.

I have added Sprint Vision Pack for $15.00 on the account effective June



20, 2008.

Now you can enjoy:

• Unlimited Web/Data Access on Handset
• Unlimited Picture Mail and Video Mail
• Multimedia - Sprint TV Channel 1

Have a nice day!

Sincerely,



Peter P.



Sprint

......Wha-? I re-read my email to make sure I didn't somehow authorize this, but no, I mentioned preventing internet access. What a fool I was, doting on Sprint before the job was done. Instead of calming down and being rational, I replied with a crazy email rife with superfluous exclamation marks and all caps. I pointed out that's the exact opposite of what I asked for and asked if anyone even read my email.

The response email from Gloria D. wasn't nice and certainly lacking any apology. But Vision has been removed, so oh well. A toast to Sprint and another glorious two years.

(AP Photo/Douglas C. Pizac)

The iPhone itself may be cheaper, but the required flat-rate data plan now costs $30 per month, a $10 increase. Over the mandatory two-year contract, that works out to an extra $240. AT&T also now charges $5 per month for 200 text messages, which used to be free. That adds up to another $120.

Before you apply your generous $200 discount, you've already agreed to fork over $360. Two years from now, your new iPhone 3G will have cost $160 more than a current-model iPhone.

We're usually not ones for math, but our tech-drunk brethren over at Gizmodo confirmed the numbers:

Gizmodo believes that the iPhone's nifty new features justify the price bump. They may be right, but in unveiling the new iPhone, Apple zen master Steve Jobs argued in his keynote address that the reduced price was aimed at buyers who couldn't previously afford iPhones:

Everybody wants an iPhone, but we need to make it more affordable. And we know this because we go out and talk to people who didn't buy iPhones, and the number one reason, by far—they all want one—is they just can't afford it. Some of them can't afford it. So we need to make the iPhone more affordable.

The new iPhone is not more affordable. Anyone deceived by Apple's lower price point is going to get a nasty wake-up call when they read their first bill.

(Photo: respres)

Remember TJX's gigantic security breach problems last year, where data on 94 million accounts was stolen? Good for you, because apparently TJX doesn't. A former employee of a TJX store in Lawrence, Kansas was fired recently for posting anonymous complaints online about the current sorry state of his store's security, which included the store manager writing server login and password information on a sticky note, and the store resetting employee passwords to blank fields.

According to The Register,

Benson's May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company's network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

TJX says the former employee divulged confidential information, but Benson claims that he's acting as a whistleblower to get them to improve their security:

"My information is still on that server," he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. "So if their network is insecure, then my information is insecure. I'd prefer they get it fixed."

"TJX employee fired for exposing shoddy security practices" [The Register] (Thanks to Will!)
(Photo: crazytales562)

The answer of course, is "false." If you managed to guess correctly, you're smarter than the average Californian. Two researchers at Berkeley conducted a scientific poll in an effort to determine how much Californians knew about their state's privacy laws. It turns out that large amounts of consumers have no idea that it's perfectly legal for lots of different kinds of companies to sell their information without their consent, including pizza delivery places.

From the research paper:

Pizza delivery companies, since they are called so frequently by consumers, are a hub for collecting personal information. A delivery company can collect and aggregate caller identification information (typically name and phone number), ask the customer for their phone number (which may be different than what is displayed by caller identification), and in order to process the order, acquire the delivery address. Pizza delivery information is used by private investigators and by governments to track individuals. In the marketing context, pizza delivery databases have been discussed as source for phone numbers for wireless 411 databases.

When we asked Californians whether they thought pizza delivery companies could not sell personal information without their consent, 54.7% incorrectly answered true and 5.8% said they didnʼt know.

Other scenarios in which consumers assumed they were protected from sale of their personal information: donating to a charity, registering a product warranty, giving a phone number to a cashier at checkout, registering a product rebate, and ordering from a catalog.

Research Report: What Californians Understand About Privacy Offline [via CL&P Blog]
(Photo: Tyler Durden's Imaginary Friend )

The clerk told Pete it was for loss prevention. Wait, what? Pete had the parts in his hand, and the receipt that showed he'd paid cash for the parts the day before. You mean there's no way RadioShack can track its purchases more precisely than matching up mailing addresses of anyone who walks into the store?
 
Here's Pete's email:

Dear Consumerist,
 
I have been avoiding RadioShack for ages ever since they started asking you for your street address and phone number just to sell you something. Once they stopped that practice, I reluctantly began returning to buy the odd piece for my electronics projects when I ran out of something and didn't want to wait for an order to be shipped from on-line retailers. At any rate, I was out running errands the other weekend and saw a RadioShack, remembering that I needed a couple of potentiometers for an amplifier I was working on, I stopped to make my purchase. Wading through the overly "helpful" employees I found the electronic components area. But, I couldn't remember the exact values of the potentiometers I needed so I grabbed all they had, paid with cash and was on my way.
 
I went back the following day to return the un-opened potentiometers that I did not need - receipt in hand. The process went smoothly until the clerk asked for my street address. I told him that I prefer not to give that information out. They claimed that it was for "loss prevention purposes". I say "they" because another cashier came over, presumably for moral support to his co-worker. I told them to make an address up - no dice, claiming the "system" "will kick you out". I tried to explain that I have the receipt and the un-opened parts and that I paid with cash so they would have no way of knowing that I was the person who originally purchased them anyway, no luck. I tried for store credit, same result.
 
I suppose, I could have made up an address, or even given them my real one but i didn't feel like it. I shouldn't have to be put through a personal information wringer to complete a legitimate transaction that happens every day at normal stores. I felt like I was being accused of theft or had to in some way, justify my actions.
 
I will say that the employees weren't rude and they were just carrying out what they were trained to do. In the end, I took the ~$10 worth of potentiometers home with me, where they sit waiting for a new project.
 
Is this normal business practice, or is it time for RadioShack to get with the times for its data mining?

(Photo: Brave New Films)

Here's Cole's email. We're going to pull out the actual URLs so we don't encourage more snooping, but we tried Cole's method and were able to pull up customer infor screens on our own:

My friend pre-ordered GTA4 from BestBuy.com and since he doesn't have a printer he forwarded me the confirmation email of his purchase so I could print it out. The confirmation email contained a link to print out the page if you were having trouble viewing the email from within your email client. I was (since the message was forwarded to me the styles and images were all messed up), so I clicked the link which took me to [redacted]. I was curious how random the &e parameter was so I decided to play around with it and discovered it isn't really random at all and by incrementing a certain part of it I was able to find home addresses of other users of BestBuy.com who had packages shipped to them.
 
This seems like a pretty serious privacy issue as I am now able to find full names and addresses of people that have bought something from BestBuy.com and had it shipped to them.
 
Cole

From the BBC:

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users' friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people's security?

Facebook responded by saying that they remove applications that violate their terms of use.

'Identity' at risk on Facebook [BBC]

(Thanks, T.J.!)

Yesterday I was running late for work and arrived with just enough gas to get me to a gas station during my lunch break. I go to a gas station near my job on my lunch break to fill up my car. My debit/credit card linked to my checking account is denied. I had the clerk try both credit and debit, denied, denied. I used my card the night before with no problem. I go to another gas station down the street and denied again. So I call the number on the back and get a hold of a customer service rep. I explain my situation and they state, my card is in "conversion" and they sent me a new card in the mail. I explained to them that I never received a new card or a phone call telling me that my old card was going to get canceled. ( BTW I have almost 2 years before this card should expire) I ask them what caused my old card to expire before the given date. They put the blame on me, stating that I probably did weird purchasing activity or purchased a bunch online. I stated I purchased 1 item for under 20 bucks online in the last year and I check my account online daily. They went back and checked and then stated I was part of a mass conversion for my protection??? (only thing I need protection from is Wells Fargo)

After multiple calls, speaking to 2 supervisors, 3 customer support reps, and one customer support person at a branch, I found out data for 125,000 cards was "compromised".

This is the 2nd time within 1 year this has happened to me with Wells Fargo. ( First time I gave them the benefit of the doubt since they had an old cell number to contact me, at that time I had them update my profile with my current cell number)

They offered nothing to help me out in the current jam of being at a gas station, with very little gas in my car, with no access to my money. They would not activate my old card temporarily so I could get out of this situation. (I expressed this to every person I talked with )

Between the several calls I got mixed information about how this process works and how long your old card will work during the conversion. (14 day, 21 days, 30 days. They are definitely not all on the same page within the same business. The lucky answer is 14-21 days)

No one would tell me exactly what caused this "compromise" of my card data. This was internal information. Yet I am having to deal with it.

I asked Joseph at the branch why I should stay a customer with them, he answered: "That is a personal choice and frankly I would not stay with a bank that offered bad customer service." Thanks Joseph for some honesty.

Both supervisors were really rude, claimed Wells Fargo did nothing wrong and implied this was my fault.

They offered me a temporary debit card the next morning at a branch location and stated I should be able to access $300 a day. Actually its only $60 for the first day, I found this out after I left the branch, this further deterred my plans. (I work 9-6, which is their bank hours, very inconvenient for me, so I lose another hour of pay and I needed access to more than $60)

I left a voice mail (only option I was giving) with a manager and have received no call back as to how my data was compromised.

Lesson learned, have a backup checking account just in case your bank decides to cancel your card and not inform you. Wells Fargo has terrible customer service and tons of red tape for us consumers who trust them with our hard earned money. Apparently 100,000+ card data is being compromised on a yearly basis.

We can understand your frustration, Bryan. To have to worry about running out of gas and where you are going to get a few dollars, all because of the bank's error, is really dehumanizing. To have it happen twice in 1 year would be more than enough for us to start taking our business elsewhere. Loyal Consumerist readers know that there are several reasons to have a backup credit or debit card. It sounds cliche but it's still good advice: Don't put all your eggs in 1 basket. It really is only a matter of time before your card has some type of glitch which could seriously inconvenience you or worse.

(Photo: Getty)

I too like other readers had signed up for this service. After a few months (and a few $14.95) charges, I decided their service wasn't worth it. I have no issue with the money spent, that is my fault..
 
However, when I went to cancel my monthly subscription, the first thing the operator asked for was my SSN... not the last 4, but the full SSN.. Why in the world would a company who's job it is to alert you to credit issues ask for something like that? I mean, one of their services they offer is related to identity theft.
 
But it gets worse...
 
After the CSR was able to (through some sort of magic or wizardry) pull up my account via my phone number, in oder to "verify" who I was, she wanted my mother's maiden name !!!! After being on-hold for 20 minutes while she escalated to a manger, the call was disconnected..
 
Can you imagine the audacity of a company who's job it is to "protect" your credit report and help with identity theft asking for full SSN and Mother's maiden name? Keep in mind, all I was trying to do was cancel a subscription to a credit monitoring agency I was able to register on-line with...
 
I then called back in, and this CSR was able to cancel my account with my phone number and birthday (yes, he too asked for my SSN and mother maiden name, but again, through some magic he pulled my account using other info. I will say, while he tried to up-sell me, (Sir, I realize you think this service is ineffective, but for only 29.95 a month you can add this service and get more info) and then tried to convince me that I still had some time left on my account, and I should call back closer to my billing date to make sure I got full utilization , I stood strong and insisted on canceling my account..
 
I think I will be checking my credit card to make sure they canceled it...

The Charlotte Observer says that the lender has increased its security and filed a civil lawsuit in Orange County, CA. The lawsuit names "three California-based mortgage lenders, eight individuals and two other businesses as co-defendants."

LendingTree did not say how many customers' accounts were exposed, but the article did say that the company was notifying consumers who they believe were affected.

LendingTree tells clients of breach [Charlotte Observer] (Thanks, Sarah!)

UPDATE: Reader Chris forwarded the letter that LendingTree is sending out:

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don't believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree's loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don't believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree's Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers .

Sincerely,

R.L. Harris

If such a list became popular, would it reduce the ad model of the web to the blind shotgun blasts of TV advertising? That would suck—personally, if I'm going to see an ad, I want it to be about something that interests me. I don't like the idea of a third-party harvesting my data and packaging it with other users' data to profit from it, but I do think targeted advertising is an improvement over traditional advertising. Besides, how would such a list work with the rapidly evolving technologies used for data tracking? NebuAd's deep-packet-sniffing collects lots of detailed info but doesn't connect it directly to an ISP customer's account—would that be permissible?

Being a smart consumer is deeply relevant to this issue. Ultimately, the individual consumer has to understand the basics of online advertising before choosing to engage in any online behavior. Telemarketing, and to a lesser extent junk mail, take public info that by necessity has to be public (telephone numbers and addresses, for example), then exploits that info to contact you without your permission. When you're online, however, you're leaving a data trail behind you like heat exhaust, and anyone who knows how to read it can gain information on you. But you can also learn to reduce that data trail, or cloak it, or even disguise it as a different data trail. It's an arms race, but then everything in the information age is.

When companies try to take control of your data trail from you—like what Facebook did with its Beacon program—then we have a real problem; suddenly your self-protection schemes no longer work and you're left open to privacy loss. So far the public has reacted swiftly and decisively against such overreaching stunts.

My hope is that the public side of the market remains a more efficient way of dealing with company misbehavior—and that Average Web User X gets over his technophobia (or more likely plain disinterest) and learns the basics of online privacy if he values his part in the demographic data pool so much.

"Privacy Advocates: Consumer Education Isn't Enough" [PC World]

RELATED
"UK advertising-tech fight shows complexity of privacy battle" [Associated Press]
(Photo: Getty)

"Patients' Data Stolen, Hospital Says " [New York Times]
(Photo: alexstaubo)

One reader, Meiran, put it this way: "I'm rather impressed by their reaction, it seems like most modern companies would attempt to push this under the rug and pretend it didn't happen, leaving customers to wonder what those strange charges on their statements are."

According to Wikipedia, the company is mostly owned by McDonald's and Coinstar, so it's not like this is an example of a start-up that's never encountered the heavy hand of corporate influence. This means Redbox's board of directors intentionally chose to be proactive on the matter. They seem to have figured out something that lots of other companies still struggle with, which is that if you empower your customers to help protect themselves, they'll help protect you, too. We wouldn't be surprised if the next time a skimmer is detected, the alert comes from a customer who remembers Redbox's email.

"Redbox Security Alert - Credit Card Skimmer Attempt" [redbox](Thanks to everyone who sent this in!)

RELATED
"Redbox Warns Customers about Credit Card Skimming" [Hacking Netflix]

Basically, the company tracks your spending habits by collecting data directly from your credit card statement. But rest assured, they say, that the data is in good hands:

Registering these accounts simply authorizes secure collection of monthly information from those accounts for research purposes only. Your specific credit card information will be collected through an infrastructure that ensures the highest level of security with a world-class network, data, and physical security system.

Password and statement data are stored and transmitted in encrypted format at all times. All data is securely housed in the Exodus© Vault™, a revolutionary Internet server hosting space that provides enhanced physical security, fire protection and electronic shielding.

My credit card information. My online financial statements. What the hell?! Even if this is legit, there's no way.
 
Thought you'd like to know. If this is a scam, I'd like to know, and I'm sure so would some other people. I'm sure the survey site won't like me sending this, but it's not like I make anything of value from watching pre-production commercials or telling people how often I buy shampoo.

Thirty-nine businesses or groups have reported losses of sensitive information involving about 87,500 Maryland residents in the three months since a state law took effect requiring that people be informed of such incidents, records show.

The breaches have included everything from SSNs showing through envelope windows to deliberate attacks on databases by hackers. Luckily for Maryland residents, a state law ensures that you can place credit freezes with each of the three major reporting companies for $5 each.

Not a Marylander? Check this interactive map for a quick overview of what your state enforces by way of disclosure laws in the event your data is compromised.

"No sure bets in personal data security" [Baltimore Sun]

RELATED
"CareFirst Dental HMO Exposes SSNs, Says You Should "Take It Seriously""
CSO Maps State By State Data Breach Disclosure Laws

Companies, is it really that expensive to offer 5 years, or 10 years, of credit monitoring to victims of your data security incompetence? Seriously, own up to your responsibility in exposing people to the risk of financial and credit problems and give them the tools they need to protect themselves. After all, it's your fault.

The Baltimore Sun, which first reported the breach, pushed The Dental Network for a reason why it took them three weeks to notify their members:

The company also created a Web site and phone line for members to learn more about the breach, which details the credit protections.

On the Web site, the company posted a list of frequently asked questions, including one about the delayed notification.

"Action was taken immediately and your personal data was secured within minutes of our learning of this accidental exposure," the response states. "With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, make the appropriate decisions and line up the assistance services that are being offered."

We searched their amateurish website (it explains a lot about the breach and the slow response) and can't find any mention of this special website or press release. If anyone has more information on either one, please send us a link or post it in the comments below.

Update: Here's the website for victims of the security breach: lds.thedentalnet.org (Thanks to the author of the original article, Liz F. Kay!)

"Patient data exposed online" [Baltimore Sun] (Thanks to Nick!)

Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

Because of the recent data breech at Hannafords, I had to cancel my debit card, which I had used there recently. I had no problem canceling the debit card, but since I recently started charging my regular expenses on a rewards card and paying that off every month, I don't have any real need for a debit card anymore. I spoke with the teller, Brandy, asking her to cancel my debit card and replace it with an ATM card. Since I was canceling the card because of potential fraud, there's no charge there, but I then found out there is a monthly fee of $1 for not having a debit card with my checking account, which they refer to as Key Express Free Checking.

This struck me as odd that they charge extra for the privilege of not having something.

(Dollar background: Sami Keinänen)

"10 Largest Data Breaches Since 2000 - Millions Affected" [Flowing Data via BoingBoing]
(Image: Flowing Data)

The box "had a document indicating it was sold because the shipping company could not deliver it or find its owner," and UPS told MSNBC that it keeps undeliverable packages for at least 3 months before liquidating them. What we can't figure out is how three full months elapsed between early December, when the box was shipped, and the end of February, when the box had clearly already been liquidated and was being offered for resale by a private business.

(Thanks to Sarah!)

"Medical records sold to teacher as scrap paper" [MSNBC]
(Photo: Orin Optiglot)

He used the "recovery" service to get the tag back, but when he got access to his tag he realized that he could no longer use any of his saved games.

That was about a month ago and Microsoft still has no solution for his problem. Frustrated with losing all the games he's saved, Brad filed a complaint with the BBB.

Microsoft responded:

We are unable to comply with your request to provide a free Memory Unit. Accessories such as that may be purchased from a retail location.

Brad writes:

After using the account recovery service on my 360 to recover my gamertag after using it on a friends 360, I found that I could no longer access ANY of my saved games. I contacted 18004MYXBOX four times about this issue, each time, receiving the same script and run-around. I finally escalated the issue, and Jeff from the Xbox Live division called me back to discuss it. He acknowledged that there was an issue with their account recovery service, but that there was nothing they could do, and offered me no compensation. Unfortunately, MS decided to use their DRM system on the saved games as well. When my gamertag account became partially corrupted on their server, it no longer allowed linked to my saved games. And of course, MS does not know how to fix their own system.

Thank you for using the Better Business Bureau's Online Complaint System.
Your complaint has been assigned case # *NUMBERDELETED*.
Correspondence regarding this complaint will be emailed to : *EMAILDELETED*
Please print a copy of this for your records.

Filed on : January 24 2008

Filed by :
*MyNameDeleted*
*MyAddressDeleted*
*MyLocationDeleted*

Filed against :
Xbox
1 Microsoft Way
Redmond WA 98052

Complaint Description:
When moving my Xbox Live! gamertag from a friends Xbox 360 console back to my own console, I lost the ability to access my saved games, even though they are still present on my 360's hard drive. Moving the gamertag to play in different locations is how the Xbox Live! service is intended to be used, there is some error causing my gamertag to not recognize my saved games. This occured Thurday, January 17th. I placed calls to 1800MYXBOX on 3 separate occasions: January 18th, January 19th, and January 20th about this issue. Customer service did not offer any solutions which worked, and failed to put me in contact with someone who had expertise in the area. My 1800MYXBOX reference number regarding this issue is 1056102591. These saved games are my personal data, and represent 2 years of my time and effort. Microsoft's Xbox live service, either intentionally or unintentionally, has caused damage to my gamertag and/or my personal saved game files. I have documented my issues and experience on the Xbox Forums here: http://forums.xbox.com/18015242/ShowPost.aspx#18015242 . Other Xbox Live! and 360 uses have had identical or similar issues as shown by the following forum posts: http://forums.xbox.com/17067018/ShowPost.aspx , http://forums.xbox.com/18049832/ShowPost.aspx#18049832 . I have been in contact with several other Live! users that have experienced the same problem. Their Live! gamertags are: 'klamath xor', 'JigSaw XV', 'd3adpoetic', and 'XCALIBUR18'. 'klamath xor' has also filed a complaint with the BBB regarding this issue here: http://app.alaskaoregonwesternwashington.bbb.org/complaint/view/*NUMBERDELETED*.

Your Desired Resolution:
I would like Microsoft to acknowledge the problem and fix it, allowing me and the other affected to use their saved games again. If this is not technically possible, I would like Microsoft to prevent the issue from occurring in the future, and offer a formal apology. If that is not technically possible, I would like to be offered a full refund on my Xbox 360, Live! service, and all of my games and accessories. It is unacceptable for Microsoft to provide a game console/service that destroys users data, and I cannot support such a system/service.

Microsoft responded:

RE: Your complaint to the Better Business Bureau

Case Number: 22146246

Dear Brad,

A copy of your report filed with the Better Business Bureau of Oregon & Western Washington regarding your Xbox Video Game System has been forwarded to Microsoft.

Our records indicate, that we contacted you by phone on the 7th of January in regards to your Xbox console.

We are unable to comply with your request to provide a free Memory Unit. Accessories such as that may be purchased from a retail location.

Thank you for your continued support of Microsoft Xbox gaming platform.

If you have any further concerns regarding this issue, please contact 1-800-4MY-XBOX and use ticket number: 1053326815. Otherwise we will consider this issue closed.

Sincerely,

Kevin Lamb
Xbox Customer Support
Microsoft Corporation

cc: Better Business Bureau of Oregon and Western Washington

Brad pointed us to a forum thread where he details the steps he took to recover his saved games, etc. You can read that here.

After recovering my gamertag I can no longer access my saved games! [XBOX Forums]
(Photo:louder)

In a related article, CSO talks to a data breach disclosure law expert about what's going on at the federal level, where there are at least eight different proposed laws bouncing around D.C.

Forsheit: I really can't tell you why it's taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It's just not clear why it hasn't. Clearly people are concerned with ID theft. It's mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated—as it is in many states—with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out.

SO: What about the 11 states that don't yet have laws? Are they waiting for a federal bill?

Forsheit: In some of those states, there have been proposals that just haven't made their way through. If we don't see federal legislation soon, those remaining states will likely enact some law

RELATED
"CSO Disclosure Series | What's Next with Disclosure Legislation?" [CSOonline]

Neither company bothered to send a lawyer to the hearing—although the day before the hearing, they contacted him with a settlement offer if he agreed not to discuss the case with the media—and last week Karantsalis won damages plus court fees for a total of $756.80.

Okay, so that's clearly not enough money to hurt either company—Sprint easily spends 50 times that every day giving lobotomies and tongue-bobs to Customer Service new hires—but we're impressed with Karantsalis' DIY approach to legal justice. As Evan Schuman notes in a related article, there are lots of ways you can define "winning" in a situation like this, but few of them can beat the odds of wrapping up a small claims case quickly and in your favor:

Is the objective to make the consumer whole, in the sense of getting them to the point financially where they would have been the data privacy booboo never happened?

Is it to make it much more likely that the wrong will never be repeated, sparing other consumers of the headache? Is it to make money for the consumer? Is it, dare I say, to make moneys for the law firms?

The recent TJX lawsuits, for example, could be said to have failed for their consumer plaintiffs on all of those objectives, other than making money for the law firms and even that money was rather paltry.

With this settlement publicized, will tens of thousands consumers now take these frequent breach notification letters and drive to their local small claims court? The onerous nature of a retailer having to defend against literally tens of thousands of virtually identical accusations was precisely the kind of situation that class-action lawsuits were supposed to eliminate. But the civil demands for financial losses create a crack for these cases to slip into.

(Thanks to econobiker!)

"The Librarian Wins In The Data Breach David Vs. Goliath Battle" [StorefrontBacktalk]

RELATED
"Sears, Where America Sues" [StorefrontBacktalk]
(Photo: Getty)

Bob writes:

I purchased a shirt from MLSGear.com a few months ago. I just received a letter from Mark Abbott, President of MLSGear.com letting me know that their third party ecommerce vendor got hacked and my data may have been accessed...or not.

Anyway, it seems they canned their third party ecommerce vendor, and they are offering free credit monitoring services for the next year.
I wish my data was not compromised to begin with, but I will take the monitoring service. I am glad they are standing up and taking the responsible action. (would they if there were no laws?)

In recognition of that, the major credit card companies in July will begin requiring retailers and other merchants that accept payment cards to either install a firewall in front of all Web-facing applications or submit custom application code to an outside security firm for a vulnerability review.

"Soccer league's online shoppers get kicked by security breach" [Computerworld]