How would you feel if you knew your credit card number was revealed to hundreds of hackers in a chat room? About 300 credit card holders found out exactly what that felt like a few weeks ago.
These people booked vacations online, in this case to Chicago. What they didnt know is that the site they were using, 877Chicago.com, didnt actually do the credit card processing. Instead, it used a third party, Cardinal Communications RegWeb.com, which stored its information in what turned out to be a frustratingly insecure manner. The bomb dropped when a hacker found a link to the customer data and posted that link to a hacker chat room. Someone who saw it then e-mailed the information to me.
Now, weve all heard stories about personal information being exposed. But to witness, in all its data-riffic glory, the breakdown of a business protecting its customer data was flooring. I dont know how else to put. Clicking on that link and seeing the credit card information for all these people made me very uncomfortable. But that was nothing compared with the feeling I got after I called the first person on the list. The husband of the cardholder picked up the phone. It took a while for him to understand who I was and that I was not the enemy. His wife called me back a couple of hours later. Both seemed to be in total shock.
Finally, I called RegWeb looking for confirmation and an explanation. The IT administrator I spoke to seemed nice and admitted the problem. He then begged me not to run the story. At first, I felt sorry for him. But I quickly became angry. As someone who buys things online, I was pretty ticked off that a company didnt do what was needed to protect its most valuable asset: customer data.
No network is completely secure, but this wasnt a case where the company had an encrypted database behind a firewall with intrusion detection enabled. From the companys explanation, it seems that RegWeb performed some kind of file transfer from one system to another and inadvertently left one file behind — and exposed to anyone on the Internet. Thats just sloppy.
Nobodys perfect. But it only takes a single incident like this to destroy a companys reputation. If you have demonstrated that you cant ensure the absolute privacy of customer information, you are effectively putting yourself out of business. In other words: Either do it right or dont do it at all.