Credit card customers were not notified when the largest single case of online theft of credit information occurred in January. Eight million credit card numbers were stolen when someone hacked into Data Processors International Inc. (DPI), which processes credit card transactions for direct marketing and mail-order catalogue companies. The company in Omaha, Neb., defended itself by saying the culprits may not have obtained any useful information. At press time it remained unclear if any usable data was compromised.
Neither DPI nor the credit card companies – MasterCard, Visa, American Express and Discover Card – have disclosed any information about the thefts on their consumer Web sites.
In contrast, when a hard drive that went missing from ISM Canada Inc. in January, contained the personal information of millions of Canadians, Guelph, Ont.-based Co-operators Life Insurance Co. had no way of knowing whether the disk drive data would be used by identity thieves. However, company officials felt the risk alone to about 176,000 of the company’s insurance policies required them to notify the customers whose data was taken. Co-operators set up a call centre and sent letters to customers with advice on actions they could take to protect themselves, such as notifying credit reporting agencies of the theft and monitoring their bank and credit card statements.
“There’s no legal obligation for us to do it,” said spokeswoman Dominique O’Rourke. “We just felt our customers had the right to know and should take steps to protect themselves.”
“While The Co-operators has always employed stringent security measures to ensure that client data is secure, today’s high-tech environment means that companies need to do even more,” reads a news item on the company’s Web site. “To this end, The Co-operators is exploring ways to further enhance its security processes to minimize the risk of a similar occurrence in the future.”
Neither Canada nor the U.S. requires companies to notify customers of data thefts. But a California law that takes effect in July will require companies to notify customers in that state if their personal data has been compromised.
Personal customer account information of Winnipeg-based Investors Group Inc. and other businesses was also on the ISM hard drive which was recovered with reportedly no evidence that the information contained on the disk was used maliciously.
Investors Group also notified its customers by letter and has said to have terminated their dealings with ISM until the company can prove the data it handles is secure.
The security breach has shed a negative light on outsourcing options, but IDC Canada’s Dan McLean, director of utility research and IT outsourcing, assures that one incident does not reflect the state of all outsourcing services. “Personally, I think it is a real stretch to make the conclusion that outsourcing puts you at more of a risk than keeping IT in house,” he said.
— with files from Lucas Mearian and Patrick Thibodeau, Computerworld (U.S.), and Carly Suppa