[Dataloss] Globe and Worcester T&G customer credit info mistakenly released

[Richard Forno]

Globe and Worcester T&G customer credit info mistakenly released

By Robert Gavin, Globe Staff  |  January 31, 2006

http://www.boston.com/news/local/massachusetts/articles/2006/01/31/globe_and
_worcester_tg_customer_credit_info_mistakenly_released?mode=PF


Credit and bank card numbers of as many as 240,000 subscribers of The Boston
Globe and Worcester Telegram & Gazette were inadvertently distributed with
bundles of T&G newspapers on Sunday, officials of the newspapers said
Tuesday.

The confidential information was on the back of paper used in wrapping
newspaper bundles for distribution to carriers and retailers. As many as
9,000 bundles of the T&G, wrapped in paper containing subscribers¹ names and
their confidential information, were distributed Sunday to 2,000 retailers
and 390 carriers in the Worcester area, said Alfred S. Larkin Jr., spokesman
for the Globe.

In addition, routing information for personal checks of 1,100 T&G
subscribers also may have been inadvertently released.

The Globe and T&G, which are both owned by The New York Times Co., share a
computer system.

The release of the data is another in a long list of high-profile incidents
in which companies, universities, and federal and state agencies have had
sensitive financial information lost or stolen.

Globe and T&G officials said the newspapers have notified the four major
credit card companies ‹ American Express, Discover, MasterCard, and Visa ‹
of the problem. The newspapers will turn over the card numbers of
subscribers who may have been affected to the companies upon request. As of
last night, Mastercard and Visa have asked for the details. The newspapers
are doing the same thing with banks of customers who may be affected.

About 227,000 Globe subscribers pay by credit or bank cards, although it¹s
unclear exactly how many had their information released. Larkin, however,
said a reconstruction of the errors that took place suggests a majority of
those affected are Globe subscribers.

The newspapers have also set up a hot line, 1-888-665-2644, for customers to
call to learn whether their financial information may have been distributed.
As an extra precaution, newspaper officials also urged subscribers to
contact their credit card companies if they are concerned about unauthorized
transactions.

So far, newspaper officials said, there have been no reports that the
financial information has been misused.

In a letter to subscribers in Wednesday¹s Globe, Richard H. Gilman, the
paper¹s publisher, said, "We deeply value the trust our subscribers place in
us and are working diligently to remedy this situation. Immediate steps have
been taken internally at the Globe and the Telegram & Gazette to increase
security around credit card reporting. We regret the disruption and
inconvenience that this incident may cause."

The T&G¹s publisher, Bruce Bennett, issued similar comments in Wednesday¹s
T&G.

According to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy
group in San Diego, more than 100 incidents of lost or stolen financial
information were reported over the past year. Among them: Bank of America
Corp., which lost computer data tapes containing personal information of 1.2
million federal employees, including some senators; Ameritrade, the on-line
discount broker, which said it lost a back-up computer tape containing the
personal information of some 200,000 customers; and the US Air Force, which
confirmed that personal data of 33,000 officers and enlisted personnel were
hacked from an online system.

Beth Givens, director of the Privacy Rights Clearinghouse, said the T&G
incident ‹ which she called "most unusual" because of how it happened ‹
underscores the need for companies to focus on more than just online
security to protect the sensitive information of customers, clients, and
employees.

"What we¹ve learned is there are many ways that sensitive information is
exposed," Givens said. "Every entity needs to examine all the ways it uses
information and develop security safeguards that go far beyond the computer
system."

Larkin said the newspapers were first notified of the security breach on
Monday by a clerk at a Cumberland Farms store. It took until late Monday for
officials to confirm the data on the back of the paper were credit and debit
card numbers. Senior management learned of the security breach Tuesday
morning, Larkin said. The company put out a news release late Tuesday
afternoon.

The Globe and T&G financial information was inadvertently released when
print-outs with the confidential information were recycled for use as
so-called "toppers" for newspaper bundles. A topper, placed on top of
abundle of newspapers, is inscribed with the quantity of papers in each
bundle and the carrier¹s route number.

Officials of the newspapers said they are recovering as many of the toppers
as possible, although most have likely been discarded. The T&G has ended the
practice of using any recycled paper for toppers. The Globe does not recycle
paper in this fashion.

The newspapers have also added a safeguard to the computer system so only
the last four numbers of credit and debit cards can be printed.

The Globe and T&G share a computer system. Larkin said the data was printed
out on two occasions over the past few weeks by T&G business office
employees. In one instance, an employee inadvertently hit the print button,
aborted the job before the run was complete, and discarded the paper. In the
other instance, another employee began printing a report, but soon realized
it was the wrong one, aborted that print job, and discarded the paper.

Larkin said the newspapers are still investigating the T&G¹s procedures for
handling confidential customer information. But he said the employees
weren¹t disciplined because the errors were inadvertent. "There¹s no reason
to believe this was intentional," he said.

Robert Gavin can be reached at rgavin at globe.com.