Newspapers Wrapped in Credit Card Data

Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."

Access Control

[imoou]

It should be a no brainer that financial information (not just credit cards) can only be access by the finance department, and any waste paper in the finance department must be disposed of by professional data destruction companies.

The article explained the mistakes, which were caused by aborted print jobs, only those printed documents were in the bin for recycling!

At least the the newspapers have now added a safeguard to the computer system so only the last four numbers of credit and debit cards can be printed.

Need to print the data?

[funkmeister]

Why does these data need to be printed at all? What possible need is there to see these numbers on paper?

Heh.

[SatanicPuppy]

Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.

So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to it. The reason it doesn't go straight to accounting is because, in most papers, accounting deals almost exclusively with advertising revenue and billing, which is a lot more complex than 15 bucks a month, or whatever the news subscription rate is, which gets billed automatically.

All that being said, it took some kinda dumbass to dump that info out on the toppers, and a whole crew of dumbasses down the line to attach that information to the paper. Most places don't put anything like personal information on the toppers for papers they're distributing, so it should have been obvious to anyone that there had been a mistake...There are a LOT of people who should have noticed something was wrong.

I was on the list

[flez]

I woke up this morning to read that the Globe (which I subscribe to) was plastering my CC number all over the place.. Called their "hotline" which was busy all morning (.5million subscribers, one number, you do the math). Finally got through after lunch and was on hold for 1/2 hour to find out that my name was on the leaked list.

So I had to cancel my card and get a new one.

It's too bad the Herald is such a rag or I'd drop my subscription today. Maybe I will anyway and just get my news off the web like everyone else.. but I so love to curl up with my coffee and paper on sunday mornings...

insane

[apocalypse76]

This takes irresponsible to a whole new level. Any company in thier right mind should have shredders/chippers in thier finance department for any waste paper.

Since having your identity stolen is so difficult to recover from I think anyone that has had thier info. sent out should sue if thier identity is stolen. Then the company gets to pay for the next five years of credit cleanup for the person.

Hit'em in the pocketbook and they'll pay more attention.

Re:Need to print the data?

[QuestorTapes]

> For legal reasons one must still be able to present data in a form
> counsel can use in a trusted and secure method.

I can understand that for certain legal -purposes- this may be necessary. Is is strictly necessitated by law, however? Federal or state?

For security reasons, many firms don't store the credit card numbers after processing the transaction (obviously, doesn't apply to any regularly repeated transactions/subscriptions).

Is this solely required for repeating transactions?

Freedom of the Press?

[Anonymous Coward]

Wait, I thought credit card mis-haps & other sources of fraud and identity theft, only occurred on the Internet. Seriously, it's bad enough we have to spend 20% of our lives shredding our old financial data, but to have a 'supposedly' responsible organization make it all for not?

Worse still, we've now found out (in a round-a-bout fashion) that they been 'recycling' these credit card 'reports'. So that means for countless years, the people have just been 'giving' private/confidential/sensitive information to another company? Depending on who does the recycling, this trash may even be public property (like residential trash taken to the curb). I hope for damn sure they have a contract with this company that dictates the terms of use for this material and that it includes a clause defining the destruction of financial data.

I guess 'Freedom of the Press' has a new meaning now, eh?

Similar thing happened to me, maybe you too

[c41rn]

I recently got a CD from H&R block to use when doing my taxes. Turns out that H&R accidentaly printed my social security number on the mailing label along with a string of other 'tracking numbers'. They sent a letter appologizing about it and saying that it had happened to a number of their customers. I still wonder why the shipping/printing department at H&R Block would have access to social security numbers at all.

Two Words: Rights Management

[ImaLamer]

I work at a newspaper and know exactly what you are talking about, the accounting-circulation connection (hence the department name "Circulation Accounting") but I'm surprised to hear that the full card numbers were distributed. I would assume that only the most inside of people, because computers handle all of the transactions, could access that information.

For example, whenever a card number is typed into the database and updated it will only show the last four digits to any human. I would assume Circulation Accounting could track down the transaction and find the number that way, but as far as I know the full card number is only given up electronically. What is the point of even having a list of card numbers printed on paper? Why would that even be close to the circulation field staff? I would ask the CIO why the field staff needs credit card numbers.

Then you come to another point - are the carriers working for themselves? If so, then the liability may just fall on that one person. It seems the newspaper is picking up some responsibility so I assume they are employed by the newspaper. Then the question goes back to the IT departments: Why can users access information they do not need?

Almost sounds like someone did it on purpose, you never know.

The Globe Is Dying

[SkyDude]

Just like its corporate parent, the New York Times, the Boston Globe is hemorrhaging readers. Their politics are left wing, they supported Kerry and all the other moonbats. They continue to telemarket randomly even though my number is on the "do not call" list. I've filed a complaint with the FTC about this. That they would be so cavalier about personal information doesn't surprise me. The paper sucks, the management sucks, and they should be euthanized. That's what they do to old horses; the Globe is an old horse.