Newspapers Wrapped in Credit Card Data

Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."

For if it gets slashdotted

[the-amazing-blob]

1-888-665-2644 is their hotline "for customers to call to learn whether their financial information may have been distributed."

Also:
"As an extra precaution, newspaper officials also urged subscribers to contact their credit card companies if they are concerned about unauthorized transactions."

This is a very serious problem

crazy!

[d34thm0nk3y]

In case anyone else was wondering (FTA):

The Globe and T&G financial information was inadvertently released when print-outs with the confidential information were recycled for use as ''toppers" for newspaper bundles. A topper, placed on top of a bundle of newspapers, is inscribed with the quantity of papers in each bundle and the carrier's route number.

They don't comply

[szembek]

Apparently the Boston Globe Doesn't comply with the Payment Card Industry standard, found here: http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html [visa.com]
Specifically these sections:
9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons:

9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials

9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed

Re:Need to print the data?

[SatanicPuppy]

Honestly, and I work in the business, I can't even imagine one. We store all that data, but there is no commonly run report that prints it out. There isn't any point in it.

If you pay by credit card with autopay, or similar, when your subscription is up, the system charges your card. It goes straight to the bank. It's not even a special job...Purely automated. The $$$ amount shows up on the batch report the next day, along with your name and subscriber ID and NOT your credit card number, because it would just be one more thing you don't need to look at on an already crowded report.

At the same time, if someone is paying by check, as opposed to having the money automatically debited from their account every day, we don't KEEP the routing number...Why would anyone? We just keep the check authorization number. With that, you can get the routing number if you need it, for whatever reason, later.

Re:Need to print the data?

[sckeener]

Why does these data need to be printed at all? What possible need is there to see these numbers on paper?

For legal reasons one must still be able to present data in a form counsel can use in a trusted and secure method.

Website to check if you've been exposed

[UM_Maverick]

In addition to the phone number that other people have posted, there's a website (no hold time) that you can check to see if you've been exposed. You'll need to supply your home phone number and zip code:

http://www.bostonglobe.com/cclookup [bostonglobe.com]

and yes, I'm on the list....

Not just credit cards... but telephone numbers...

[mikael]

Back in 1994, I ordered some books from an E-mail based company (Walnut Creek or somewhere similar).

The books arrived packaged in a box, with packaging made from horizonyally shredded listings of Oracle customer response center telephone numbers.