Well,

Last night I witnessed / was involved in / heard
the WORST Data protection breach I have ever had
the misfortune to witness.

My other half placed an order on line for some tyres yesterday...

Received an e-mail confirming the order then an
hour later a mail saying that her card had failed their
card verification process and a transfer to the London branch
of Commertzbank would be required.

Not a problem, her credit card was issued in Germany and
the Commertzbank method of payment is listed along with
their Account details on the site.

However, they are a German company, the card's valid so we thought we'd
query why the card didn't go through.

The first thing we did was check with the issuer to see if funds had
been requested, which they hadn't. So... I make a call.

Very nice IVR that takes the order number, hold music...

Female voice.. "Hello is the call regarding Ms Sandra xxxxxx's order?"
(FULL NAME given no verification of order number asked for!)

Me "err yes...."

Proceed to be told that she can't tell me what verification process
the card failed but during the call is QUITE happy to give me...

i) The full name (see above)
ii) The Order/Card address.
iii) Our Home Phone number.
iv) Sandra's Mobile number.

All without prompting.

It just kept getting worse!

Then, just when it couldn't get worse I asked for the card
number 'To see if the number was correct'.

GIVEN.

Just as a note, at no point was I asked...

i) My name
ii) My relation Sandra.

We've had the order cancelled!

I did ask for a management callback although
I'm not sure the message will get through, so I followed it up
with a mail last night titled. 'Senior manager call required (DPA Breach)'


I'm going to try to speak to their E-Commerce manager today....

They get one chance, then I name and shame.


My head hurts!

Aarghh.......... WHY DO WE BOTHER!!!!

DaveA

Dave,

A classic example of how we as consumers need to be alert to escape phishing, and other fraudulent methods ;)

Did you ever get ahold of their ecommerce manager?

Marianne,

Basically,

An apology the information was released, however,
I was told that the fact I had the order number
was obvious proof that I was in a position to legitimatly
recieve said information!

Not really too happy but not sure if it's worth activly
going after them given they are based in Germany.

Whilst teh Information Comissioners office were VERY helpful
and offered to look into it, the company is DE registered, so
I'd need the German equivilent of the ICO.

My German is only up to High school level so probably more
trouble than it's worth.

Regards

DaveA

Hi David,

no clue what ICO means. If you want to contact the resposible people for Data Protection in the bank the e-mail is: datenschutzbeauftragter(AT)commerzbank.com.
If you want to hand this over as a data security breach to the federal office just give me a shout and i'll give you their contact details.
But to be honest it is only a small breach compared to the news of the last days in germany. One Bank lost a few million customer creditcard information and another one sended a few hundred to a private e-mail account by mistake.

Vielen Danke

This is when the site really shows what it can do.

My other half si German with fluent Engligh so I don't speak as much as
I should (or can)

datenschutzbeauftragter. I love German compound nouns!

I'm guessing Data Protection officer or something similar.

ICO is the Information Comisioners Office, theoretically
responsible for Data Protection in the UK, Normally
about as much use as a Chocolate Fireguard given the amount
of USB sticks / laptops / CD's that have gone missing without
anything being done to the companies that lost the data.

Thanks again.

DaveA