Get Smart about Business Spending
Symantec investigating customer credit-card data theft
Updated at 9 p.m. PDT with more details from a Symantec representative.
Symantec is investigating allegations that a call center in India leaked credit card numbers of its customers to someone who then sold them to BBC News reporters posing as criminals.
The security company has informed U.K. privacy authorities and attorneys general and officials in eight U.S. states and Puerto Rico of the allegations that three U.K. customers had credit card information leaked and that about 200 U.S. customers may have been affected because of interactions with the call center, Symantec spokesman Cris Paden said Tuesday.
"We nailed it down to one agent at the call center" who handled the Symantec customers, he said. That agent was put on administrative leave pending the outcome of the investigation, Paden added.
In addition to Puerto Rico, the states contacted were New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia, and North Carolina, Paden said.
It was unclear exactly how the data of the three U.K. customers got from the call center into the hands of the man who the BBC News said sold the credit card numbers. Nor was it clear whether any data from the U.S. customers was leaked. Paden said there is no evidence that any U.S. data was exposed.
In a letter to New Hampshire Attorney General Kelly Ayotte dated March 24, the security vendor said it is "investigating a potential security incident involving a small number of customers' credit card information."
The letter said Symantec was sending a notice to a customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach, as defined by New Hampshire statue, had occurred.
The company added that even though it has no evidence that credit card information of any U.S. resident was actually compromised, it is offering its customers one year of identity protection services through Debix as a precautionary measure and reviewing its "security processes and third-party vendor protocols."
The BBC News reported on March 19 that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit card numbers, at $10 a card, from a man who claimed to have gotten them from a call center. They filmed the interaction. The man denied any wrongdoing, the BBC said.
When the reporters contacted some of the card owners, three of them said that they had bought Norton software from Symantec over the phone using their credit cards.
Symantec has set up an e-mail address for customers who want more information: global_purchase_query@symantec.com.
The BBC recently got flak for purchasing a botnet and using it in some tests to show the dangers that Web surfers face.
The IDG News Service is believed to be first to report on the Symantec letters.
Updated April 1to clarify which media outlet is believed to have first reported the news.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
A company that uses Australia for thier online renewal and an Indian call center for tech support should expect that thier data is spread everywhere.
This is one of the reasons that I've moved away from Symantec, at least for my most critical systems.
Having said that, a compromise of 200 users is actually pretty good, though not great.
- by alegr April 1, 2009 9:49 AM PDT
- Why dictate CC numbers over the phone? It's so 1980s. Have the customers touch-dial the number. DTMFs can be filtered by the phone system and entered automatically into their app; the agent won't even see it.
- Reply to this comment
-
(3 Comments)