The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Making the worst of a bad situation

 

By Scott Bradner

 

It is quite amazing how some companies can compound a difficult situation by punishing the innocent and then point proudly at the demonstration of their inability to rub two neurons together when it comes to figuring out the impact of their actions.

 

Apparently sometime in early February credit card companies learned that someone had grabbed as may as 8 million credit and debt card account numbers from a small company that processes card transactions for mail-order and Internet vendors.  So far the news reports do not pinpoint just when the information theft might have happened.  At first the card companies seem to have kept the news secret but in mid-February they told at least some of the banks that had issued the cards about the theft.  The card companies told the banks that there had been no suspicious activity on any of the cards and that they were monitoring card activity closely just in case. 

 

After a few days of secrecy it came out that the company was Omaha Nebraska-based Data Processors International. (http://www.dpicorp.com/)  While the terms "security" and "privacy" do not appear on Data Processors International's home page they do brag about their "super secure server network" on an inside page.  I guess that it has been empirically determined that "super secure" is not enough in some cases.  I could not find anything on their web site about the card theft so cannot get their side of the story but, if the theft was done by an Internet-based computer hacker as the reports have it, then anyone who uses this company should be asking just why these records were on an Internet-accessible computer.

 

The card companies seem to have acted about as well as one could expect.  When they learned of the theft they checked for suspicious activity and informed the issuing banks.  Maybe they could have informed the banks sooner but at least they did inform them. 

 

Most of the banks also behaved quite well.  Many of them informed their customers but did not panic.  There was no reason to panic since the stolen numbers were known and their accounts could be watched.

 

But at least one bank seems to have had a brain fart.  Rhode Island-based Citizens Bank deactivated over 8,000 of its customer's cards just before a weekend.  A bank spokesperson said it was to protect the customers.  Let me understand this -- the credit card companies have policies in place that eliminate all customer risk i.e., the customer will not be liable for any unauthorized charges, and the card companies reported that there had been no suspicious activity with any of the stolen cards.  Just what was the bank protecting their customers from when the bank made it impossible for the customer to use their cards to do things like buy groceries.  A bank that cannot think any better than this will not get my business but could be a valuable case study in what not to do if you have any interest in your customers.

 

disclaimer:  The Harvard B School does use case studies for teaching, but this one would not believable -- who could be so dumb  --   so its my own lesson.