Banks and credit card firms keep ID theft victims in the dark
The hacking of a credit card processing company last week, with more than a million people’s card numbers potentially stolen by identity thieves, highlights yet again how little privacy we enjoy in the digital age.
It also highlights — yet again — how hard it can be to find out details of a security breach.
William LeGro of Silver Lake is typical of a lot of people who frequently shop online. He knows that he usually has to run a gantlet of hackers and scammers to get what he wants.
At the very least, he expects to be able to make smart choices about which online merchants are safe to do business with and which ones may be vulnerable to cyber-thuggery.
But when he contacted Bank of America recently to inform the bank that he was buying something online from an overseas retailer — an anti-fraud precaution few of us might think to take — LeGro was told that his Visa card had been compromised.
He was told that a business he’d bought things from had been penetrated by hackers and that numerous Visa accounts had been compromised. What business?
BofA wasn’t saying. Neither was Visa.
It’s a problem that arises all too often. Consumers are kept in the dark any time an online security breach is reported. Basically, we’re told not to worry our pretty heads about the particulars — all is well.
“All is not well,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego. “Banks and card companies just stonewall, and consumers have no way to find out where the breach took place.”
Last week’s breach involving a company called Global Payments Inc. shows how frustrating it can be to find out what happened. The Atlanta processor of transactions for MasterCard and Visa finally acknowledged Sunday that its database had been penetrated.
It said “less than” 1.5 million consumers’ credit card numbers may have been stolen, but that “we are making rapid progress toward bringing this issue to a close.”
Feel better? You shouldn’t.
According to the Privacy Rights Clearinghouse, nearly 3,000 U.S. businesses are known to have experienced security breaches since 2005. More than 544 million consumer records potentially have been accessed by ID thieves.
Yet consumers remain largely in the dark about which companies were involved, what sort of information was endangered and the circumstances surrounding each incident.
Was it a case of a business doing everything possible to protect customers’ data but still succumbing to the dark arts of a master hacker? Or was it a case of a business leaving its servers unencrypted, or recklessly allowing an employee to load confidential info onto a laptop that then gets misplaced or stolen?
That’s a distinction that would definitely influence my choices as to which business deserves my loyalty.
LeGro said a BofA service rep explained to him that “we don’t tell the customer for fear of retaliation.”
Retaliation? Against whom?
“Against the merchant,” came the reply. “You might stop doing business with them.”
Points for honesty.
Betty Riess, a BofA spokeswoman, said she couldn’t imagine any of the bank’s service reps saying such a thing to a customer. In any case, she said banks aren’t usually told by the likes of Visa and MasterCard the identity of a breached company or details of an incident.
“We don’t know ourselves,” she said.
File that under ignorance being bliss. If a bank has no clue about what happened, it has no responsibility to rat out a potential business partner to customers.
Sandra Chu, a Visa spokeswoman, acknowledged that the card company tends to keep the identity of breached companies to itself.
She said disclosing such info “would be a huge disincentive for the breached entity to come forward early and to cooperate with us in the investigation.”
In other words, a company’s first consideration, ahead of the possible danger to its customers, would be the embarrassment of publicly admitting that its security wasn’t up to snuff. Visa doesn’t want businesses to have to face such anguish.
Chu also said it would be unfair to name a possibly breached company before all the facts are in and investigators have done their job. Never mind the fact that your credit card number may be traveling the globe during this time.
Jim Issokson, a MasterCard spokesman, cited similar reasons for keeping mum about security breaches.
“Bottom line is that we provide the information necessary to protect potentially at-risk accounts from fraud,” he said. “Issuers make decisions about when to inform cardholders based on the issuers’ own risk and fraud management strategies.”
As a three-time victim of identity theft, I can say that current disclosure practices aren’t good enough. It’s obvious that banks, card companies and especially retailers have little incentive to come clean on how vulnerable our personal info may be.
It’s time for lawmakers to step up with new requirements for informing people about security breaches. At the very least, the identity and location of the business, the nature of the breach and the data jeopardized should be made public.
This isn’t about slapping businesses with scarlet letters. It’s about ensuring that consumers have all the information they need to shop safely.
And you’d think that’s something banks and others would be all in favor of.
On Friday: Who owns your information?
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to david.lazarus@latimes.com.
