An undisclosed number of Disney Movie Club members have received letters informing them that their credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation, Network World has learned.
The sting occurred sometime in May, while the letter - a copy of which was forwarded to Buzzblog by the security Web site attrition.org - is dated July 6. Why notification took that long is among this morning's unanswered questions (update below).
The latest in a seemingly endless string of data-breach incidents involving major organizations, this one is being pinned on a third-party contractor, Alta Resources, according to the letter signed, "John Flynn, for the Disney Movie Club." The address on the Disney Movie Club stationery matches that of an Alta Resources P.O. Box in Neenah, Wis., so I'm presuming the verbiage comes from Alta Resources. From the letter:
One of Alta Resources' employees sold certain credit card information to federal law enforcement agents, as part of an undercover sting operation, in May 2007. The information included your name, address, credit card number and expiration date, and credit card type (e.g., Visa, MasterCard, American Express or Discover), and may have included your telephone number and e-mail address if you had provided that contact information to us. We have been assured that the card security code (e.g., the CVV or CVC code) for your card was not included in this information.
Disney's public relations outfit has yet to respond to my request for an interview.
(Update: Just talked with Eric Maehara, a spokesman for Disney Movie Club owner Buena Vista Home Entertainment, who told me he is not at liberty to discuss details of the incident -- including the number of club members victimized -- because there is an ongoing investigation by the Secret Service. Everyone whose data was compromised has been contacted, he said, adding, "We outreached as fast as we could" given the necessities of the investigation. Alta Resources has been a Disney contractor for 10 years without having had a previous known episode of this nature, according to Maehara.)
An Alta Resources executive told me this morning that she would find an appropriate person to return my call seeking comment.
The letter - posted in full here - also contends that the authorities have said they have discovered no misuse of the proffered personal information and that the credit card companies have been informed. It recommends that those who were victimized check with their credit card companies.
In addition, the letter indicates that the Alta Resources employee has been fired. No word on prosecution or which federal agency conducted the sting.
This morning I've had an opportunity to chat about the letter via e-mail with Lyger, the attrition.org staff member who sent me the copy. Attrition.org maintains an archive of security breaches that resulted in the loss of personally identifiable information. Here's some of that chat:
What's your take on the seriousness of the breach based on the info provided? Is there any comfort to be taken from the business about CVV and CVC codes not being divulged?
"As far as 'risk-level seriousness' goes, I'd put it around the same as the TJX and Polo breaches, however the letter does mention that there is no indication of any attempted fraud other than selling the information to law enforcement officials. I'd be especially interested in knowing how many cards and/or people are potentially affected. As far as CVC codes not being revealed, I can't remember the last time I was ever asked for mine, so I'd say that's probably a 'feel-good' line for additional comfort."
Shouldn't a company of Disney's stature have better control of such things this far into the data-breach deluge?
"Shouldn't the United States federal government? ;)
"OK, seriously, I would think that most large corporations are at least somewhat aware of issues surrounding 'data loss' or 'data theft,' but putting preventive controls into place isn't always easy; there can often be a lot of red tape to go through before even the most simple of measures can be enacted. Disclaimer: I know nothing about Disney's business practices, just speaking from my own personal experience."
Does the use/trusting of a third party deserve special attention here?
"In my opinion, not really 'special' attention: Outsourcing business functions is standard practice for most companies. If you store backup tapes offsite, you're probably using a third party vendor. If you ship your client list to corporate HQ on a CD or DVD, you're trusting the USPS, UPS, FedEx, or another vendor to get it there safely. In this case, an employee (now terminated) of a third party vendor allegedly attempted to commit fraud. One bad apple, but the company (Alta Resources) will end up taking the heat, and so will Disney."
There's no doubt about that.