ZeroPoint Risk Research, LLC

Privacy…Data Breach…Identity Theft…Regulations…

These are terms which we have come to know all too well these days.  It is quite hard to turn on the TV and not hear a news story that involves one of these terms.  A quick visit to the Privacy Rights Clearing House (http://www.privacyrights.org) shows that even with recent regulations, the (business?) world is slow to adopt adequate information security practices.  And without a doubt, the media has helped bring information to the masses regarding some of the most well known and publicized data breaches.

What have not been widely publicized are the human effects a data breach causes.  Sure, a data breach costs a company a lot of money, and it can even put a company out of business.  But what about the people who have been effected by a breach?  How does dealing with a breach affect their lives, their bank accounts, their families, their marriages, their emotional well being?

While working on my current client project, one of my primary contacts and I had a discussion regarding risk management and data privacy.  My contact, Jane Doe (made anonymous on request), communicated to me that she was a victim of the TJX data breach that was first made public in January of 2007.  And until just recently, Jane was still feeling the effects of this and (potentially) other related breaches.  I asked Jane if she would allow me to write a blog entry about her story.  Without hesitation, she said, “Yes, anything to possibly help others who may be in a similar situation.”

This is Jane’s story.

In January of 2007, right around the time the TJX breach was made public, Jane received a phone call from her small community bank.  They had indicated that there were some erratic debit card transactions on  her account which did not appear to follow her typical spending patterns.  The bank asked Jane if these were her transactions.  Jane had indicated they were not and asked for the bank’s assistance in resolving the situation.

Jane went into the bank the next day and filled out a claim form for every transaction on the statement that was not hers.  Though this was a laborious task, it provided the bank with the necessary information to begin investigating the situation.  At that time, the bank was not yet aware of the scale of the breach.

The bank submitted the forms to MasterCard for processing and investigation.  During this interim period, the bank did provide provisional credits to Jane for each unauthorized transaction.  Full/final credit would eventually be made upon the results of research and investigation made by MasterCard.

MasterCard eventually came back with confirmation that each of the transactions was in fact not made by Jane and was unauthorized.  The old debit card had been destroyed and a new card was ordered.  Account and credit monitoring was offered.

However, that was not the end of Jane’s story and the effects of having used her debit card in a TJX-owned store prior to the breach being made public.  In fact, though the card was destroyed and a new debit card and number were created, Jane said she was still seeing unauthorized transactions on her bank statement.

These transactions were of a form best characterized as transfers of funds or withdrawals.  Combined with the fact that a new card/number had been issued, this indicated to all parties involved that the thieves had obtained Jane’s actual bank account number and related personal information.

What occurred next would start to take an emotional toll on anyone.  An electronic payment against her student loan bounced.  Immediately, her student loan interest rate was more than doubled from 3% to 7.5%.  Pursuant to this occurrence, Jane’s bank indicated that they wanted Jane to completely close her account and open a totally new account.

Jane and the bank agreed on the importance of doing so.  And the bank was extremely helpful in working with Jane to have her student loan interest rate corrected.  However, during the subsequent six weeks, Jane had to issue her loan payments with paper checks.

But this was not the last event.  A mortgage loan payment had also bounced.  The bank quickly corrected this issue also.  While it was not a difficult resolution to achieve, it was another layer of aggravation added to this already painful situation.

TJX had offered Jane free credit reporting. And it was not until about August/September of 2007 that Jane began to feel comfortable that everything had been dealt with sufficiently.  Nine months of dealing with her multiple savings accounts and joint accounts with her husband appeared to finally be fading into the past.

Proving that lightning does strike twice, in January of 2010, Jane’s bank called and asked her, “Are you in Montreal?”  Jane, feeling a very familiar sense of dread, replied, “No!”

Once again, Jane was dealing with a breach scenario.  Her bank was again heavily involved in the matter.  The FBI was also involved.  The bank’s belief was that an on-line purchase made by Jane in December of 2009 was the transaction from which her account was compromised again.

As with the prior breach, Jane’s bank provided provisional credits to her account.  And also as before, this was only done after a form was filled out for each and every unauthorized transaction.  Jane said this was a significant burden.

In February of 2010, Jane noted that on her bank account statement, another ~ $1,100 was “missing”.  By the end of March, 2010, just shy of $3,700 was “missing”.  These were not new breach scenarios but rather the latent effects of the secondary breach that occurred in January.

While at this point Jane’s accounts appear settled and whole, thanks in large part to the tremendous support of her small, community bank, not everything is perfect.  Throughout this entire ordeal, Jane suffered through a great deal of pain and heartache at home.  She and her husband fought often.  They both dealt with much heartache and stress.  They lived in a fairly continual state of fear.  For several months they wondered if their marriage could survive the roller coaster of emotion.

But it did.  And, if I am reading Jane’s words and body English correctly, I think dealing with all of this has made Jane a stronger person.

But it does not always work out this way.  Countless divorces, bankruptcies, foreclosures and other unfortunate results have occurred due to the same and similar events that Jane and her family persevered through.    And this ties right back to what I noted at the beginning of this blog entry…What does the media often show with respect to data breaches and theft of non-public personal information?  Usually, it is only the corporate side of a breach.

The human side is all too often ignored.  I implore the decision and policy makers in all companies to think twice before not implementing a voluntary control/process because it is “too expensive” or “does not return value to the shareholders”.  Let’s put a face to the potential victims of breaches that could occur due to your decisions.  Acknowledge the importance of the well being of your employees and customers.

Take responsibility for doing something, not because you have to, but because it is the right thing to do.

Many thanks go out to Jane Doe for taking the time to let me view a slice of her life that she would rather forget.  It is our sincere hope that at least one person who reads this might make a change that has a positive impact on the personal life of someone else.  I have faith that someone will.

- Jeff Bamberger

Leave a Reply

Proudly powered by WordPress. Theme developed with WordPress Theme Generator.
Copyright © ZeroPoint Risk Research, LLC. All rights reserved.