An undisclosed number of Disney Movie Club members have received letters informing them that their credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation, Network World has learned.
(Update: Johnson & Johnson also victimized.)
The sting occurred sometime in May, while the letter - a copy of which was forwarded to Buzzblog by the security Web site attrition.org - is dated July 6. Why notification took that long is among this morning's unanswered questions (update below from Disney ... and later comments here from a club member/database security expert who got one of the letters).
The latest in a seemingly endless string of data-breach incidents involving major organizations, this one is being pinned on a third-party contractor, Alta Resources, according to the letter signed, "John Flynn, for the Disney Movie Club." The address on the Disney Movie Club stationery matches that of an Alta Resources P.O. Box in Neenah, Wis., so I'm presuming the verbiage comes from Alta Resources. From the letter:
One of Alta Resources' employees sold certain credit card information to federal law enforcement agents, as part of an undercover sting operation, in May 2007. The information included your name, address, credit card number and expiration date, and credit card type (e.g., Visa, MasterCard, American Express or Discover), and may have included your telephone number and e-mail address if you had provided that contact information to us. We have been assured that the card security code (e.g., the CVV or CVC code) for your card was not included in this information.
Disney's public relations outfit has yet to respond to my request for an interview.
(Update: Just talked with Eric Maehara, a spokesman for Disney Movie Club owner Buena Vista Home Entertainment, who told me he is not at liberty to discuss details of the incident -- including the number of club members victimized -- because there is an ongoing investigation by the Secret Service. Everyone whose data was compromised has been contacted, he said, adding, "We outreached as fast as we could" given the necessities of the investigation. Alta Resources has been a Disney contractor for 10 years without having had a previous known episode of this nature, according to Maehara.)
(Update, July 14: Suspect named.)
An Alta Resources executive told me this morning that she would find an appropriate person to return my call seeking comment.
The letter - posted in full here - also contends that the authorities have said they have discovered no misuse of the proffered personal information (a Buzzblog reader disagrees here) and that the credit card companies have been informed. It recommends that those who were victimized check with their credit card companies.
In addition, the letter indicates that the Alta Resources employee has been fired. No word on prosecution or which federal agency conducted the sting.
This morning I've had an opportunity to chat about the letter via e-mail with Lyger, the attrition.org staff member who sent me the copy. Attrition.org maintains an archive of security breaches that resulted in the loss of personally identifiable information. Here's some of that chat:
What's your take on the seriousness of the breach based on the info provided? Is there any comfort to be taken from the business about CVV and CVC codes not being divulged?
"As far as 'risk-level seriousness' goes, I'd put it around the same as the TJX and Polo breaches, however the letter does mention that there is no indication of any attempted fraud other than selling the information to law enforcement officials. I'd be especially interested in knowing how many cards and/or people are potentially affected. As far as CVC codes not being revealed, I can't remember the last time I was even asked for mine, so I'd say that's probably a 'feel-good' line for additional comfort."
Shouldn't a company of Disney's stature have better control of such things this far into the data-breach deluge?
"Shouldn't the United States federal government? ;)
"OK, seriously, I would think that most large corporations are at least somewhat aware of issues surrounding 'data loss' or 'data theft,' but putting preventive controls into place isn't always easy; there can often be a lot of red tape to go through before even the most simple of measures can be enacted. Disclaimer: I know nothing about Disney's business practices, just speaking from my own personal experience."
Does the use/trusting of a third party deserve special attention here?
"In my opinion, not really 'special' attention: Outsourcing business functions is standard practice for most companies. If you store backup tapes offsite, you're probably using a third party vendor. If you ship your client list to corporate HQ on a CD or DVD, you're trusting the USPS, UPS, FedEx, or another vendor to get it there safely. In this case, an employee (now terminated) of a third party vendor allegedly attempted to commit fraud. One bad apple, but the company (Alta Resources) will end up taking the heat, and so will Disney."
There's no doubt about that.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
When a cell phone goes through the washer.
Nothing says summer quite like a Christmas catalog.
The 7 Wonders of the Internet ... A Buzzblog community creation.
How to avoid having to hire an American: lawyerly advice.
The emoticon is turning 25: You can thank this guy :-) … or not :-( And vote in our poll.
Amazon finally rids Disney-related site of nearly nude jockstrap models ... and this blog helped get it done.
Even Apple doesn't know why time stands still on the iPhone.
How far can you drive after the gas-tank warning light comes on. ... A search for answers begins.
Vista DVD cover mystery solved.
Casino bans author of Word for being lucky.
BlackBerry owes this guy a girlfriend.
The Onion tees up Vista ... hilarity fails to ensue.
When not blogging, I am a Network World news editor and write the 'Net Buzz column.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Disney / Alta data theft
We received one of these notices yesterday. My wife is a long time member of the Disney movie club. She occasionally buys Disney movies that are trotted out of the "vault". So we had a Discover card number on file with Disney.
About 2-3 months ago, we got word from Discover that an $8,000 charge had been made against our Discover card. Apparently, a thief got ahold of our number and made some sort of transaction on pay pal. Discover caught the fraud within 2 hours of the transaction. They knew it wasn't us, and wrote off the $8,000 charge. But we still had to go through the motions of getting our Discover number changed.
Then we received the Disney / Alta letter saying the Alta employee was caught selling our discover number to an FBI agent. I thought: what number? The old number or the new number? So I called and spoke with a supervisor. At first Disney / Alta was not willing to look up what Discover card number was involved. But I pressed them. They finally admitted it was our NEW Discover number.
In the 17 years we;ve had our Discover card, we never had a security issue. Then, in the space of 2-3 months, we had these two fraud events. I believe they are related.
I believe the fact that the FBI set up a sting means the Alta employee was doing this for a long enough time so as to attract the attention of law enforcement. That means he had been doing this for a while. This corroborates the time frame of our fraudulent charge on the old number. The fact that he also sold our new number corroborates the idea of an ongoing security breach.
I also think the fact that we had an $8,000 charge on our old number probably menas this guy probably had MULTIPLE buyers (real criminals + the FBI informant).
I don't think the fact that the thieves did not have the CVV or CVC code made any difference. I think they were able to log into pay pal and make the $8,000 charge against our old Discover card number without the CVV or CVC codes.
The Disney / Alta customer service reps tried to assure me that THEY had no evidence that our Discover number could be used in a fradulent transaction. I told them that I had independent evidence that the theives working with this guy may have done that already.
We felt we had no choice but to cancel the new Discover number and get a third number. My wife is taking care of that today.
contradiction....
You contradict yourself. You said it was your NEW number that was compromised, but your OLD card had the charge? Clearly the two are not related.
Not a contradiction
He didn't contradict himself. He said that the fraudulent charge was made on the OLD number. So he changed it and got the NEW number. Then the Alta employee sold the NEW number to the sting operation, so BOTH numbers were compromised. That's why he had to get the THIRD number. Makes sense to me.
Think about the WHOLE story
The man's story and suspicions are very plausible. Just think and read his WHOLE statement.
Sting operations are not set up overnight, and they don't necessarily have immediate results. It is extremely plausible that the crook(s) didn't get caught the very first time the crime was attempted. It is very likely that the thefts were at least suspected for some time, so law enforcment set up a response.
It took a while to get notice of the problem, set up a response, and work on the matter before seeing any results. 2-3 months is a very reasonable time frame to believe there is a direct connection to Disney's breach.
Also, if you think a megacorporation like Disney should be trusted to tell the truth when it is dealing with enormous legal liability, you are more than a little naive.
that is a big FAT LIE
that is a big FAT LIE
I was also a victim...
Recently, just this last christmas i was also a victim of this mess. I think its really unprofessional of Disney not to contact everyone, everyone? i was not contacted or purchase anything; but my account shows otherwise as it was charge with a purchase from Disney of over 50 dollars. If they did 50 people like me they made 5000, and i know that the club does have a lot more than 50, maybe what they need to do its put some operators to answer the phone for any questions but instead you contact a recording that does not offer any help. 1 out of 10 for their customer service deparment.