All companies with sensitive data such as credit cards, SSN#, etc. should have some kind of software in place to detect downloads of such data. Just another way we keep getting screwed in today's world. Between banking fees, credit card rates, and identity theft, I wonder if it isn't safer to just go back to shoving cash into the old mattress.

I have given up using my debit card anywhere except my own bank's machines. The liability and risk is just too high otherwise. It's unlimited really.

Credit cards at least have a limit, thanks to the government, on one's liability. So, in my opinion, they are worth the risks.

The only way we are going to solve this is to make companies responsible. Right now we are responsibile for their irresponsibility. If and when they are made to bear the total costs, we will see a change in security behavior.

What we have learned here is that markets alone do not work magic. Without regulation they degenirate into socially irresponsible behavior.

All companies with sensitive data such as credit cards, SSN#, etc. should have some kind of software in place to detect downloads of such data. Just another way we keep getting screwed in today's world. Between banking fees, credit card rates, and identity theft, I wonder if it isn't safer to just go back to shoving cash into the old mattress.

I received one of these letters from Disney and I was more than a little angry. My wife signed us up for the Disney movie club to get movies for our daughter and at the time I remember being irritated that they required a credit card number for auto-pay. Why can't they just ship the movies with a bill that we can pay with a check? Also, I never gave permission to Disney to share my private financial number with a subcontractor. An important point of note is that nowhere in the letter I was sent did Disney mention that the dirt-bag that tried to sell my info was arrested! All they said was that the offending employee no longer worked for the subcontractor. Thanks for nothing Mickey!!!!

Apparently we don't have strong enough laws on the books to deter this idiocy.

As a Data Security Expert, it frustrates me no end to hear about how people abuse the trust they are given.

How about we bring back public executions? Maybe make them a pay-per-view event? Use the money to fund a better education system to instill some VALUES into the future generations of workers?

I work for a debit card company in their LAN department. I know that we do have programs in place to stop unauthorized users from downloading information. For instance, only certain people have access to cardholder databases. That being said, if a person who has access wants to do something illegal with that information, it is very difficult to stop them.

Monitoring downloads, etc is all fine and good, but what about ppl who have access to sensitive situation and steal it with old fashioned pen & paper? Nothing is ever completely safe in today's world. Also, if our police departments and governmental agencies started taking identity theft seriously, this might happen less.

Gee, this reminded me of another story in the news this past month - the one where some of the delay in processing passport applications was being blamed on the fact that most of the data entry work had been outsourced to CitiCorp. A passport application has just about everything you need to steal someone's identity completely.

But then, there wouldn't be a market for this information except that the government has allowed the credit card companies to pass most of the burden of I.D. theft onto the victims and the cardholders. They want to issue credit cards quickly and easily to anyone who bites at their advertising, and they figure the victims of I.D. theft can sort out the mess later. That's why processing centers even issued credit cards based upon applications which had obviously been torn to pieces and taped back together again, before being filled out and submitted!

Our systems have been engineered with an underlying assumption that someone (or some group) will always have absolute access to everything (super user access, administrator access). This is so completely embedded in our thinking that even new applications that get rolled out have this built-in weakness.

Some organizations employ policies that the user will not abuse the powers vested in him/her. This does NOT prevent a malicious insider (employee, contractor, sub-contractor) etc or negligence from causing breaches.

The old adage, 'Prevention is better than cure', surprisingly, still remains the way to go. We have GOT to move beyond 'detective controls' and move to 'preventative controls'.

You know I can't wait for someone or all of the people in congress to get their identity stuff stolen or hacked or used. Then they'll see the severity of the situation we face and start holding someone accountable and move to remove using our social security and other personal information altogether. I finished reading a book by Frank Abagnale titled catch me if you can. He stated at the end of the book that if he would have done today what he did in the 1960's it would be 200% easier becuase of technology. God help us!

Jeesh....it's getting rough out there folks. I think I agree with with Shannon in Seattle. Maybe we should all start shoving our money back into the mattress. At least most Americans are now armed and can protect their money and identity themselves.

An earlier post hit the nail on the head - Identity theft is not considered a sufficiently serious crime. The company that allowed your data to be stolen simply shrugs, the credit reporting agencies all view it as largely your problem, and law enforcement can't be bothered with identity theft when there are other crimes against humanity to worry about, like littering. If your bank/card issuer also looks upon identity theft as essentially the problem of the card holder, then you really are on your own. When it comes to allowing a company electronic access to an account, make it a credit card account or prefereble (If you can manage it) don't allow it at all.

Why on earth do they keep this information stored long enough for someone to frickin' steal it? Why not just simply process the transaction and simply delete the credit card information? I don't do business with Amazon.com because they store my credit card information long term.

If you read the privacy policy like everyone should, it says that the Disney Movie Club uses a third party to process transactions.

It doesn't really matter though, a Disney employee could have stole information just as easily.

Off-Shore consultants doing this? Alta resources specializes in off-shoring. Let's verify that, pleease. Some facts: off-shore services take US jobs, off-shore employees do not need to give 2 weeks notice to just quit creating training nightmares, off-shore issues force US consultants to pay $3000 a year just for additional insurance policies. Find out for us who at this firm, as well as the Fidelity issue you mentioned, stole customer info. Not saying U.S. folks won't steal, but let's keep it all in the family :-)

It all comes down to four things: accessibility, security, motivation, and entitlement.

Accessibility: No single user should have access to everything needed to make stolen information work. The two-man rule must be in effect for critical information.

Security: Pattern detection and change detection software needs to be used to locate unusual or unwanted access. Furthermore, when the alarms go off, they should always be investigated -- not ignored.

Motivation: Most hackers do things in order to see if they can do it. Make it obvious that such attempts aren't don't have a payoff worth the effort of the attempt.

Entitlement: Don't put poor, vulnerable, or angry employees in places where they can be tempted. Most of the time this comes down to treating employees as valued assets instead of replaceable cogs.

Additional note: as a programmer in the business for 30 years, when internet capability began and online banking, etc. was first proposed, the programmers in the business stated upfront that ALL THIS WOULD HAPPEN - that nothing electronic could EVER be secure. Bosses and management and CEOs of course just laughed it off and went for the money. The same Blackstone boss who made 400 million dollars one year could care less what happens to John Doe's accounts. Hide it under the mattress is right!

According to the rules set down by Visa/MC the CVV number (the three digit code on the back of the card) should never be stored anywhere by a merchant. It should ONLY be used to submit authorize the transaction at the moment it is processed.

Even though this was for a monthly billing they still only need the CVV code once then set up the transaction as a recurring billing so that they don't have to store it somewhere.

Whether it was Disney or the 3rd party company set up the billing proceedure, they did it wrong.

I was one of the people that got this letter. I got it in the mail yesterday and needless to say, I wasn't very happy about it at all. If fact...I was downright angry!

The odd thing is that I cancelled my service yesterday...before I read the letter.

I used to work for an insurance company and we delt with credit cards regularly. There was no system to protect our insured members from employee theft. I could have kept a running list, if I'd wanted to

This Disney fiasco is exactly why I don't even have a credit card! I know they're great in an emergency, but not worth the risk. I would not use it enough to be able to monitor it. I don't even like giving information out to help desks. My cell provider has allowed me to use a password on my account instead of my SS# or Acct#. All I had to do was ask!

I'm all for it (shoving the money in mattresses)

I may just start doing that.

How about this - make the corporations LEGALLY LIABLE for these data breaches with a LIQUIDATED DAMAGES clause in the law?

Want to see this garbage stop? That's how you can make it happen

anyone caught stealing and selling this type of information should be charged for each count example a thousand id's = a thousand counts at 5 years each!!

I am reading allot of talk about how the Government should step up it's effort to prevent and prosecute those who steal ID information, since we should all know by now the Government hasn't corrected ANY problem facing America yet, so why does it seem such a shock that they are unable to take action on this point? I feel the best way to correct the issue is to let the power of our free market system do the demanding for us i.e. STOP buying stuff on-line, STOP using credit cards everywhere you go, STOP applying for those credit cards to begin with... once we start pulling our money out of the system's that support ID theft we should see swift action on the part of those companies to regain our trust and strengthen the protective systems and policies they either have currently or don't have (but will develope once th ecash starts drying up). So in short I say YES we shoudl start shoving our money under our mattresses... once it's out the hands of those large companies they will have no other choice but to be more mindful of the respect our personal inforamtion deservs.

Disney does bill you to pay with a credit card

Speaking of identity theft, did anyone know that the Social Security department is issuing numbers already in use? How does one unscramble a mess like that?

I think the real problem is the passing along your information to 2nd parties, without your permission. Having your identity stolen from another company makes it much harder to figure out who you gave what to.

Until when the goverment feels we are not capable to bare arms anymore.

Until the Fed/State governments start throwing the book at these people, this will continue. They mostly seem to be able to plea bargin or get a slap on the wrist with probation.

It's far too easy to use stolen cc's. Why aren't the credit card co's doing something to stop this? Such as simply requiring a pin with your cc transaction like with debit? Point being, it can be stopped at the source (cc co's.) if they would do something.

Karl in FL has the right idea - every time that this happens, all of the people affected should file a class-action suit against the company involved. Don't wait for the government to mess up another law - if it hits the companies' bottom line, THEN we will see changes. Until then, we'll only see more problems.

Chances are Disney was not in compliance with the PCI standards for sensitive information. The PCI is stepping up fines against clearing houses dramatically next year for non-compliance with their requirements. Fines start at 25/k month and will go into the millions for eventual non-compliance. It's not all bad news folks.

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

Not that long ago, anyone who charged in excess of 6% annual interest was a "loanshark" and considered a crook.
Then the banks started sending cash to Congressmen in the form of political contributions (pay-offs)and now those least able to afford it are given unsolicited credit cards,paying in many cases 30 % interest,late fees,etc.
The future for America is horrible because our Congress is just about totally corrupt,as bad as or worse than any other country on the planet.If we dont start voting out all incumbents,Democrats AND Republicans alike, there is NO HOPE.

JUST THINK IF YOU GOT A AUTOMATIC 7 YEAR JAIL SENTENCE FOR HACKING WITH NO TRIAL OF ANY KIND DON'T YOU THINK THAT IT WOULD COME TO A HALT ? NO CRYING NO EXCUSE'S WHAT ABOUT MY FAMILY OR I KNOW SO AND SO . I BET THAT HO ONE WOULD BE STUPID ENOUGH TO TRY IT...WHO IN THE HELL WANT'S TO ROT IN JAIL FOR THAT LONG ?