Chase puts credit card data in the trash

Personal information on 2.6 million Circuit City credit card holders is mistakenly thrown out.

The story "Chase puts credit card data in the trash" published September 8, 2006 at 11:23 AM is no longer available on CNET News.

Content from Reuters expires after 30 days.

[mikekrause]

When Will This Stop?

The only way to curb this scurge of apathy is to hold those accountable for their actions and THROW THEM IN JAIL!!!

C'mon, how many more incidents like this do we need to convince ourselves that there is a serious problem with how the average business handles sensitive data?

[heystoopid]

As always

As always,a cheap mega bank corporation, high customers fees, non existent minimal cost customer data security!

It shows the banks mission statement to be a farcical PR hack job only!

Limited apologies, no reason to change it's behaviour, for either way the customer will always remain the loser and the sacrafice to the all consuming profit first, and customer last!

[wbenton]

No mistake about this.

You can either purposefully place it in the trash or ignorantly place it in the trash.

But there is NO SUCH THING as MISTAKENLY placing it in the trash.

Walt

[tobeybarnes]

Stupid

Idiots, when will they start to be able to protect us.

[BenThere]

If they would only follow their own standards...

For those who complain about lack of legislation, etc. that leads to exposure of your private information, read on...

The Payment Card Industry has a very stringent Data Security Standard that merchants are held accountable to. This standard dictates proper handling of the data, including a requirement for encryption of the data and mandated handling and disposal of removable media (even though it must be encrypted on such media). It sets very severe penalties for any merchant who loses data when it can be shown that this standard has not been strictly followed.

But the member banks are not required to follow this standard.

PCI-DSS is an extreme cost burden to merchants, but even so the merchants agree to implement it because it is the best thing for their customers. One wonders why the member banks would not also think this is important. But in any case, PCI-DSS addresses the wrong problem... the payment card number is in itself insecure. The proper solution would be to end the days where anyone can call a merchant or visit a web site and authorize a transaction on nothing more than a 16-digit number. Adding a 3- or 4-digit "validation" code is no solution... heck, to register for this post I had to provide a minimum of 6 alphanumeric characters for a password! Payment cards need just that -- a secure layer of authentication that can't be easily spoofed or hacked.

Until they do, though, and as expensive as it is to the merchant members, PCI-DSS implementation is the best we have. The standard has real issues... but things like this incident come from chosing to not apply their own standard to themselves, not from shortcomings in the standard itself.

[ml_ess]

No end, simple carelessness

If this sort of data loss happened seldom, there might be some justification for it. But it happens often. And there is no way to justify it, other than pure carelessness on the part of Chase, and any other organization that has had a data breach in recent months... and there have been plenty. <a class="jive-link-external" href="http://essentialsecurity.com/Documents/article16.htm" target="_newWindow">http://essentialsecurity.com/Documents/article16.htm</a>