Tucson area Domino's Pizza customer information exposed
Technorati Tag: Security Breach
Date Reported:
6/18/08
Organization:
Domino's Pizza
Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Names and credit card numbers
Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.
Reference URL:
KVOA Channel 4 News
Report Credit:
Tom McNamara, KVOA Channel 4 News
Response:
From the online source cited above:
Investigators found credit card numbers blowing in the wind for anyone to see.
These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.
When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.
We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.
She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.
We found Scott Brumage's name and credit card number on one of those receipts in the alley.
Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."
Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"
"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."
Scott was startled to see his name and card numbers on our screen.
He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.
Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.
The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.
They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.
It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?
In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.
Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.
Past Breaches:
Unknown
Date Reported:6/18/08
Organization:
Domino's Pizza
Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Names and credit card numbers
Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.
Reference URL:
KVOA Channel 4 News
Report Credit:
Tom McNamara, KVOA Channel 4 News
Response:
From the online source cited above:
Investigators found credit card numbers blowing in the wind for anyone to see.
These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.
When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.
We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.
She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.
We found Scott Brumage's name and credit card number on one of those receipts in the alley.
Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."
Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"
"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."
Scott was startled to see his name and card numbers on our screen.
He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.
Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.
The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.
They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.
It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?
In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.
Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.
Past Breaches:
Unknown
Posts Atom 1.0
Comments