Newspapers Wrapped in Credit Card Data 150
Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon."
Access Control (Score:5, Interesting)
The article explained the mistakes, which were caused by aborted print jobs, only those printed documents were in the bin for recycling!
At least the the newspapers have now added a safeguard to the computer system so only the last four numbers of credit and debit cards can be printed.
Heh. (Score:5, Interesting)
So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to it. The reason it doesn't go straight to accounting is because, in most papers, accounting deals almost exclusively with advertising revenue and billing, which is a lot more complex than 15 bucks a month, or whatever the news subscription rate is, which gets billed automatically.
All that being said, it took some kinda dumbass to dump that info out on the toppers, and a whole crew of dumbasses down the line to attach that information to the paper. Most places don't put anything like personal information on the toppers for papers they're distributing, so it should have been obvious to anyone that there had been a mistake...There are a LOT of people who should have noticed something was wrong.
Re:Heh. (Score:2, Insightful)
Re:Heh. (Score:2)
Re:Heh. (Score:5, Funny)
Woops. Typo. I meant to type "it's a complicated issue." The keys are all right next to each other.
Re:Heh. (Score:2)
And how is that different from "Your business model is broken."
Re:Heh. (Score:2)
Just in case you're not trolling, I'll bite. Mismanagement is running an industry (print media) that regularly sees 20-30% profit margins (on par with drug companies), and claiming, at the same time, that money is too tight to pay carriers mileage that covers gas prices, or to employ a staff anywhere near the size it would take to produce a first rate product.
That's the difference.
Re:Heh. (Score:2)
Capitalism isn't about paying what you can afford to: it's about maximising profits. This is achieved by some combination of
Two Words: Rights Management (Score:3, Interesting)
For example, whenever a card number is typed into the database and updated it will only show the last four digits to any human. I would assume Circulat
Re:Two Words: Rights Management (Score:2)
Definitely seems fishy. What the hell are they doing with their cc numbers there?
Re:Two Words: Rights Management (Score:2)
Re:Heh. (Score:2, Insightful)
Circulation and accounting are connected like two wrestling squid. Every night a whole series of jobs are run referencing all kinds of billing information to determine whose subscriptions are paid up to the point where they qualify to get a paper in the morning. So all the customer card/account numbers are processed by the circulation side, and sent in cash batches to accounting.
So you see there is a financial subset inside circulation that deals with that billing info, which is why they have access to i
Re:Heh. (Score:5, Insightful)
The way it works here is pretty similar to what you're talking about. Each customer has a unique ID. Now somewhere in the system that ID is connected to their credit card number (if they pay with it), but that part is never accessed by any reporting features. It's just sourced every time a billing request is generated by a weekly billing job in another part of the system. That job runs a charge on the card, and marks down the payment in another area, referenced by the customer ID and containing the date, amount, and transaction ID.
There are two people here who have a high enough level of access to the system to write a report that would merge credit card and user data in a printable form. There are maybe three others who could look up any card they chose, but they couldn't generate any kind of report containing multiple cards. All the printers connected to that system are in a physically secure area.
Basically we never do anything with the credit card number but generate billing with it. It's on no reports. Why would it be? What legitimate use is the credit card number to anyone except the authorized user? I passed the article around down here in the basement, and we all had a good laugh about it (first time we've been happy not to be the globe...heh), and none of us can even IMAGINE a scenario where printed lists of credit cards would be useful for any legitimate purpose.
Re:Heh. (Score:2, Insightful)
I used to work at the distribution center in New Hampshire, where the various sections of the papers are put together to form the whole paper. Yes, it is a whole crew of dumbasses.
For if it gets slashdotted (Score:5, Informative)
Also:
"As an extra precaution, newspaper officials also urged subscribers to contact their credit card companies if they are concerned about unauthorized transactions."
This is a very serious problem
The Boston Globe (Score:5, Funny)
Re:The Boston Globe (Score:2)
Need to print the data? (Score:5, Interesting)
Re:Need to print the data? (Score:5, Informative)
If you pay by credit card with autopay, or similar, when your subscription is up, the system charges your card. It goes straight to the bank. It's not even a special job...Purely automated. The $$$ amount shows up on the batch report the next day, along with your name and subscriber ID and NOT your credit card number, because it would just be one more thing you don't need to look at on an already crowded report.
At the same time, if someone is paying by check, as opposed to having the money automatically debited from their account every day, we don't KEEP the routing number...Why would anyone? We just keep the check authorization number. With that, you can get the routing number if you need it, for whatever reason, later.
Re:Need to print the data? (Score:4, Informative)
For legal reasons one must still be able to present data in a form counsel can use in a trusted and secure method.
Re:Need to print the data? (Score:3, Interesting)
> counsel can use in a trusted and secure method.
I can understand that for certain legal -purposes- this may be necessary. Is is strictly necessitated by law, however? Federal or state?
For security reasons, many firms don't store the credit card numbers after processing the transaction (obviously, doesn't apply to any regularly repeated transactions/subscriptions).
Is this solely required for repeating transactions?
Uh yea (Score:2)
I can tell you with absolute certainty that, in the print media conglomerate that I work for, you will NEVER see hardcopy credit card numbers.
Re:Need to print the data? (Score:2)
Re:Need to print the data? (Score:2)
imho, accepting a public number as a payment is irresponsible.
One implementation:
expensive subscription (Score:5, Funny)
Re:expensive subscription (Score:2)
Looked like a joke to me.
Re:expensive subscription (Score:2)
I thought it was a funny way of pointing out the decline of paper media. If I hadn't wasted my mod points of that damned Google article I would have modded the parent +1 Funny.
Re:expensive subscription (Score:3, Funny)
Are you kidding? Do you know how much cheaper it would be to subscribe to these bird cage liners than it would be to purchase 240,000 credit/debit card accounts on the black market? The ROI seems pretty high to me!
Re:expensive subscription (Score:1)
Re:expensive subscription (Score:2)
I thought this was one of the best reasons to have a credit/debit card. Get mugged? Well they only walked away with what cash was in the wallet, and you never need much in your wallet except when you are planning on making a large purchase or many purchases in cash.
Re:expensive subscription (Score:2)
I'll use my credit card, use it on the internet, not worry about losing it, or someone else stealing it and using it. I'll let someone else handle pain in the ass merchants for me. And I'll pay my bill in full every month. And the credit card companies will give me free money for doing so.
"Real solution" indeed.
Re:expensive subscription (Score:2)
It was for the St. Paul Pioneer Press.
So that's 2 strikes.
Don't piss off a geek (Score:5, Funny)
The nice thing about being an honest guy like Quinn is that the crooks never believe you.
Anyone up for doughnuts? (Score:3, Funny)
Re:Anyone up for doughnuts? (Score:1)
crazy! (Score:4, Informative)
The Globe and T&G financial information was inadvertently released when print-outs with the confidential information were recycled for use as ''toppers" for newspaper bundles. A topper, placed on top of a bundle of newspapers, is inscribed with the quantity of papers in each bundle and the carrier's route number.
Re:crazy! (Score:2)
You wish (Score:2)
Lot of people could have seen 'em
Re:You wish (Score:2)
Sounds like Playboy (Score:5, Funny)
Re:Sounds like Playboy (Score:2)
No biggie (Score:2, Funny)
Can't get enough Red Sox coverage... (Score:1)
A newspaper wrapped in credit card data... (Score:1)
Re:A newspaper wrapped in credit card data... (Score:2)
we wrapped your ordinary news inside a layer of credit card data. then we wrap it in the carbon paper used to xerox your Social Security numbers. but we're not done yet! first we add another layer built out of investigative photographs of the inside of subscribers' homes, then we add on a layer of DNA samples from each household, and finally wrap all that in a 5-year credit history of the highest profile household from each neighborhood. you can't get news th
Why? (Score:5, Insightful)
Re:Why? (Score:2)
The real problem is that the discarded printouts were not properly disposed of.
The real solution is to add safeguards to prevent accidental printout of personal financial information.
Re:Why? (Score:2)
The main business had run for many years on massive mainframes, but being otherwise 100% mircosoft (they had a free unlimited licencing agreement) we used ISS and MS Commerce server for the web).
It was not utill I realised that complaints about web orders were taking so long to cancel that I realised that at the end of the day each order from the web was being printed out and manually typed into the mail order system.
Things started getting
Oh the irony... (Score:5, Funny)
The ad was for American Express. ^_^
Soko
Upon Request?! (Score:4, Funny)
They will only turn the numbers over upon *request* and only MC and Visa have requested it? WTF?!
Re:Upon Request?! (Score:2, Funny)
They already know which numbers were released.
Re:Upon Request?! (Score:2)
The industry is getting desperate... (Score:5, Funny)
So I go to read the article, and the ad on-page is (Score:2)
Maybe it all fits. Maybe a subscriber would want a new card after their Visa # is everywhere they want to be.
And please tell me there's some kind of criminal statute being violated here. The idea that those numbers would need to ever be printed out en masse is ridiculous; the process of letting those printouts get into the real world is grossly negligent.
Re:So I go to read the article, and the ad on-page (Score:2)
You should not miss Microsoft bitching stories, comments on Slashdot, MS ads everywhere
I mean, if OSTG didn't tweak it.
Why don't credit cards use private keys? (Score:1)
Penalties and legal action? (Score:1)
It's really bad (Score:2, Funny)
major busnesses have no security. (Score:1)
From the article on American Exspress:
Re:major busnesses have no security. (Score:2)
They don't comply (Score:5, Informative)
Specifically these sections:
9.10 Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials
9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed
C'mon now, let's at least make an effort! (Score:2)
Anyone, anyone? Bueller? Bueller?
If I allow somebody to cache my information, I would hope that they would at least try to protect it, rather than delivering to the world at large!
that's a wicked pissah! (Score:1)
Re:that's a wicked pissah! (Score:4, Funny)
save paper? (Score:3, Funny)
Stupid (Score:2)
It's such a major screwup, it's hard for me to see how it couldn't have been done at least partly on purpose. Ho
Re:Stupid (Score:2)
All is revealed in TFA. The one that you didn't read.
Re:Stupid (Score:2)
If I walked into the printer room and found someone printing out lists of credit card numbers he'd be fired, and THAT is only if I thought it was some kinda mistake. If I thought anything else, I'd have his ass arrested.
There is no possible legitimate purpose in printing that
Perhaps the globe should investigate (Score:3, Insightful)
Burn Box, anyone? (Score:2, Insightful)
Re:Burn Box, anyone? (Score:2)
Re:Burn Box, anyone? (Score:2)
I was on the list (Score:3, Interesting)
So I had to cancel my card and get a new one.
It's too bad the Herald is such a rag or I'd drop my subscription today. Maybe I will anyway and just get my news off the web like everyone else.. but I so love to curl up with my coffee and paper on sunday mornings...
Re:I was on the list (Score:2, Funny)
Re:I was on the list (Score:1)
insane (Score:2, Interesting)
Since having your identity stolen is so difficult to recover from I think anyone that has had thier info. sent out should sue if thier identity is stolen. Then the company gets to pay for the next five years of credit cleanup for the person.
Hit'em in the pocketbook and they'll pay more attention.
dream come true.. (Score:3)
The Boston Globe Subscription Dept. (Score:2)
Freedom of the Press? (Score:2, Interesting)
Worse still, we've now found out (in a round-a-bout fashion) that they been 'recycling' these credit card 'reports'. So that means for countless years, the people have just been 'giving' private/confidential/sensitive informat
Similar thing happened to me, maybe you too (Score:4, Interesting)
Re:Similar thing happened to me, maybe you too (Score:2)
What you should be wondering is why it's not illegal for anyone but the social security administration to use your number for an
Re:Similar thing happened to me, maybe you too (Score:2)
Re:Similar thing happened to me, maybe you too (Score:2)
It really is this pathetic - it is like their IT department (or whoever maintains there DB systems) have never heard of a "merge" utility. Yes, such a utility does need to be run and verified by a human, but hopefully the system can detect when there are possible duplicate
H&R Block -- me too (Score:2)
We found it pretty funny.
News release (Score:1)
Now that's odd. Would've expected... (Score:3, Funny)
It's bad enough... (Score:1)
That's it. I'm just writing my credit card numbers & expiry dates, passwords and PINs on stickies and leaving them on my monitor and in my wallet. That's about equally as secure as giving them to any company these days...
Website to check if you've been exposed (Score:4, Informative)
http://www.bostonglobe.com/cclookup [bostonglobe.com]
and yes, I'm on the list....
Re:Website to check if you've been exposed (Score:2, Funny)
Re:Website to check if you've been exposed (Score:2)
Re:Website to check if you've been exposed (Score:2)
I Got Your (Credit Card Number) (Score:2)
Data security (Score:2, Insightful)
They should be required by law to keep the data secure. I would propose the following requirements:
- Credit card and personal inforomation must be stored encrypted or not stored at all.
- Any machines containing cardholder data should be fully equipped with
Irony (Score:2)
Ironically, the news release itself was wrapped in paper bearing the Social Security numbers, ages, and (worst of all) current weights and clothing sizes of the paper's subscribers.
News Release (Score:4, Funny)
The Globe Is Dying (Score:2, Interesting)
Not just credit cards... but telephone numbers... (Score:3, Informative)
The books arrived packaged in a box, with packaging made from horizonyally shredded listings of Oracle customer response center telephone numbers.
Credit cards are supposed to be kept secret? (Score:2)
My Only Question... (Score:2)
Was it wrapped in credit card information too? Or maybe just social security numbers...
Re:Your needs - My needs (Score:2)