Who should I notify about a data breach?
June 8, 2012 5:43 PM   Subscribe

I just discovered a huge amount of sensitive data (Scanned credit cards / Driver's Licenses) on an unsecured Wi-Fi network. Who should I notify?

I just checked into a Hotel, and after connecting to their (unsecured) Wi-Fi network I noticed there is a folder shared on the network named "CheckInn". It appears to be their Front desk software.

Inside the folder are scanned images of approximately 15,000 Driver's licenses as well as front/back scanned images of each person's credit card (Including my own) There is also .DBF file containing the Name/Address/Phone#/Driver's License#/Credit Card#/Expiration/CVV2 of about ~30,000 people. All of this is shared openly on an unsecured Wi-Fi network.

I even found scanned images of my old Driver's License / Credit card from when I stayed here a year ago.

How should I go about reporting this / who should I notify?

I'd would like to ensure that:

A) This is corrected, and all of these people deserve to know that their information was potentially compromised.

B) I don't get accused of "hacking" by the Hotel chain in an effort to avoid taking responsibility for their non-existent security.
posted by ninepin to Law & Government (16 answers total) 22 users marked this as a favorite
 
I'm not sure who to report it to, but I'd be sure to get screenshots of the relevant info, with the emphasis on your old stuff. With that info alone, I'd think it would be ok to place a call to the non-emergency line at the local Police. It would seem to me that intentionally or not, they're distributing your personal information.

Any chance you'd share where you're staying - because I sure don't want to stay there. If nothing else, that info might be of service to the public.
posted by blaneyphoto at 5:48 PM on June 8, 2012


you need to be made anonymous, I think.
posted by batmonkey at 5:49 PM on June 8, 2012 [9 favorites]


I'd call your credit card company.
posted by bottlebrushtree at 5:54 PM on June 8, 2012 [2 favorites]


[Removed the link - feel free to put it in your profile if you feel it's necessary. ]
posted by restless_nomad (staff) at 5:56 PM on June 8, 2012


FTC has this:

.File a complaint with the Federal Trade Commission.
You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.
i don't know if this is something they handle but it might be worth giving them a call.

I agree, take a couple of screen shots (include the date and time if it's on your menu bar). Then, if this is a large chain, I would try and contact a corporate office.

And, yes, call your own credit card company as well, ASAP.

Let us know what happens, I'm curious.
posted by HuronBob at 5:57 PM on June 8, 2012


In addition to notifying the hotel, I think you should notify the state attorney general's office. The AG's office will often be responsible for administering state data breach laws (if any), and can be an effective method of getting the ball rolling in terms of responses by state and federal consumer protection agencies and others. Notifying the FTC would be worthwhile as well.
posted by Inspector.Gadget at 5:59 PM on June 8, 2012 [3 favorites]


Chain hotels are all franchise operations, where the owner of the individual hotel has to meet certain standards in order to keep using the chain's name but otherwise has a lot of latitude in how they run things. A properly worded letter or email to corporate would certainly result in pressure being apllied and action being taken to correct the breach, but there's a strong possibility they'll try to keep it as quiet as possible.

As for letting the affected people know without being accused of hacking, well, that's a little dicier. I'd say definitely take screenshots of your own info, but otherwise retain no copies of the info you found on your own machine any longer than it takes to send them to law enforcement (exactly what branch of law enforcement? I'm not sure). If you contact the news media (which seems like a good idea to me) don't send them any sample info without making sure any identifying details are obscured.
posted by contraption at 5:59 PM on June 8, 2012 [2 favorites]


hi - I do e-commerce.

you should notify the Payment Card Industry Standards Council:

https://www.pcisecuritystandards.org/

and it wouldn't hurt to notify Amex, Mastercard, Visa, and Discover (the big 4) if you have time, although PCI should take care of it. Google their corporate web sites and you should find it.

Your own bank's security department should take an interest as well, since your card data was in there, but I'd expect them to be more concerned about the immediate fallout with your own account

My thinking is this - if this is a local property of a responsible business, I'd want to give them a chance to clean up the mess, but the complicating factor here is that there is a strong possibility others have noticed and copied off the info. I mean, from the way you describe it it wouldn't take Kevin Mitnick to get into this data; you did it just by clicking into it. So it's a long way beyond "hey, you have a potentially unsafe thing here," this is more like "you've piled one stupid thing on top of another, to the extent it's likely the card data is compromised."

For starters:

- insecure access to cardholder data.
- improper storage of CVV2 data.
- unencrypted storage of card data

and we could just go on and on. There are several no-kidding serious breaches of the most basic principles of card storage here. In such cases the business has a duty to report the breach, and I'd force their hand.
posted by randomkeystrike at 6:01 PM on June 8, 2012 [17 favorites]


I think in this situation, a squeaky wheel gets the grease philosophy is most likely to get tangible results. So, the FTC (assuming you are in the US), the state Attorney General of the state the hotel is in, as well as the state where their corporate HQ is located (some states have stricter consumer privacy laws), and the BBB would be places to contact. In addition, of course, to the hotel chain's management. I'd skip the management of the local hotel, because they are likely to be both dumb as rocks and hostile to you for pointing out their stupidity.

Oh, also the CC companies. They are pretty serious about security, and can really put the screws on merchants when the want to (by threatening their revenue stream).

Don't download any of the information yourself -- that is how people run afoul of anti-hacking laws, in general. As long as you haven't accessed/retained any of the info, you should be OK (IANAL, YMMV etc.). Delete any relevant browser/command line history, and word your letters carefully -- say you "believe that CC numbers could be accessed," not that you "successfully accessed CC #s". On preview, I think screenshots would be a bad idea.

You're doing a good thing, but also keep your expectations realistic. It will be difficult to get a company to admit to a data breach when it is not demonstrable that malicious hacking has occurred, since this is an embarrassing and expensive thing for them. If they only modify their practices in the future, you will still have accomplished something meaningful.
posted by dendrochronologizer at 6:01 PM on June 8, 2012


I'd want to be anonymous on mefi in this context, but I don't think the OP has anything to worry about, provided he or she did not do anything besides click into a resource on an open wifi. I would NOT download any files, as others have said. There will be plenty of evidence without that.
posted by randomkeystrike at 6:04 PM on June 8, 2012


If the OP gets this info to the card company's security departments, something of this magnitude will be taken seriously. They don't play. I once found myself receiving a lot of orders from some person who was testing card numbers. The idiot was using the cardholder's real name, address, and phone, so for a few days I got to be the one to call people up and say "hi - your card info has been compromised and you should call your bank..." what fun. I asked each one what other sites they'd visited recently and found they'd all been to the same mom and pop wedding supply online store. I notified my merchant bank and they notified the card companies. Visa security got in touch with me very promptly and I told the investigator about it. They apparently were putting a lot of resources into finding the other website operator.
posted by randomkeystrike at 6:10 PM on June 8, 2012 [1 favorite]


I have a friend in the appropriate department at the FTC in Chicago in case you find nobody is responding via the general emails or websites offered in this thread. I'd be happy to check with him what would be the best thing to do after all regular avenues have been attempted.
posted by infini at 6:48 PM on June 8, 2012


I work in the payment card data security industry and I agree with randomkeystrike - notify the PCI SSC.
posted by caryatid at 8:45 PM on June 8, 2012


I think you should alert the media as soon as you have contacted the authorities. There are 30,000 people out there whose information has been seriously compromised, and they have a right to know. Take lots of screenshots, and video if you can, which will give the story more legitimacy. (Normally if you call a reporter with a customer service type complaint, they'll tell you they don't get into that sort of thing. But if you've got documentation and it's an issue that affects others, they'll take you much more seriously.)
posted by brina at 10:04 PM on June 8, 2012 [1 favorite]


I think you should alert the media as soon as you have contacted the authorities.

Don't do that, at least not until you are sure that the information is no longer accessible to all and sundry. The potential damage to the affected people could be far greater if this 'source of information' is made widely known before the information has been removed than it is at the moment.
posted by koahiatamadl at 3:06 AM on June 9, 2012 [7 favorites]


Yes, that could be very bad. This might take several days to stop.
posted by randomkeystrike at 6:10 AM on June 9, 2012


« Older Travelling with a Samsung Galaxy III to the US   |   where is a better dating location, SF or SF... Newer »
This thread is closed to new comments.