Sony notifies Attorney General of credit card breach
|
Date Reported:
6/21/10
Organization:
Sony Electronics Inc.
Contractor/Consultant/Branch:
TeleTech Holdings ("TeleTech")
Location:
Undisclosed
Victims:
Customers who used a credit card when calling the Sony Style Telesales Department between May 23rd and June 3rd, 2010.
Number Affected:
Undisclosed
Types of Data:
"certain credit card information"
Breach Description:
"TeleTech Holdings (TeleTech), a third party service provider that managed customer telesales for Sony, notified Sony that unauthorized copies were made of certain credit card information and emailed to an account outside of the TeleTech network."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
Sony Electronics Inc. via the New Hampshire State Attorney General
Response:
From the online source cited above:
Sony Electonics Inc., (Sony) is writing to inform you of a data security incident that occurred at our third party service provider TeleTech Holdings.
TeleTech Holdings (TeleTech), a third party service provider that managed customer telesales services for Sony, notified Sony that unauthorized copies were made of certain credit card information and emailed to an account outside of the TeleTech network.
This was in violation of clearly established policies.
We have conducted a thorough investigation of this incident, and all relevant credit card companies have been notified.
At this point, we have no information indicating that any credit card information has actually been used fraudulently.
We will be sending written notification to all individuals whose credit card information was potentially compromised, and offering such individuals the opportunity to enroll in credit monitoring service for one year without any cost to the individual.
We expect to mail these notifications the week of June 28, 2010.
From the letter sent to the affected persons:
We are writing to inform you that we have uncovered an incident involving one of our third party service providers that may have resulted in the unauthorized disclosure of the credit card that you used when you contacted the Sony Style Telesales Department between May 23, 2010 and June 3, 2010.
Alternatively, if you do not wish to register over the internet (for the free credit monitoring service), of have questions regarding this incident, we have setup a special hotline at .
Commentary:
I gotta say, for the most part, I am impressed with the response as judged by this notification. The affected timeframe (5/23 - 6/3) is very limited and the notification to the Attorney General was very prompt (6/21). I am assuming that TeleTech takes information security seriously and has some good detective controls in place to catch this type of suspected behavior. Incident response seems pretty good too.
Managing information security across third-party relationships can be challenging if its not done so formally. Securing against internal employee misuse and fraud can be just as challenging (if not, more so). TeleTech detected the misuse quickly. TeleTech notified Sony promptly. Sony notified authorities (AG) and customers promptly. Seems pretty good, and definitely above average.
If you are affected by this breach, call your credit issuer. Inform them of this incident and that you have received a letter stating that your account may be involved. Ask to open a new account, transfer your balance, and close your old account.
Past Breaches:
Sony Electronics Inc. - May, 2009
Posted by Evan Francen at 6/28/2010 9:53 AM 
Categories: Sony Electronics Inc., Employee Fraud, TeleTech
Categories: Sony Electronics Inc., Employee Fraud, TeleTech
Posts Atom 1.0
Comments