Dec. 1, 2005 at 4:54 PM ET
Careless companies are the biggest threat to your personal privacy, not computer hackers. Tonight, you'll have a chance to see the problem up close and personal.
We've brought you two stories recently that illustrate this point: "Surprise! You're exposed," about companies that accidentally sling spreadsheets and data around in e-mail; and "Help! I left my identity in the back seat of a taxi," about the thousands of data-rich thumb drives and laptop computers that are lost and stolen every month.
This week on "NBC Nightly News," Tom Costello took viewers inside a company being tested for sloppiness. Cameras follow a hired hacker as he wanders around the office looking for leaks. You might be surprised at how good a ruse a fire department inspector's uniform can be for a determined hacker.
Tom Costello's story is timely. Just today, shoe retailer DSW Warehouse settled a lawsuit with the Federal Trade Commission that was filed after a hacker stole about 1.5 million credit and debit card numbers from the firm. The lawsuit doesn't deal with the criminal who stole the data, but rather the company that made the theft possible.
According to the FTC, the list of bad habits was lengthy. DSW kept multiple copies of customers' credit card information on different computers, even when there was no need to store the data at all. The financial information wasn't encrypted and was protected only by "a commonly known user ID and password."
It's so often said that credit card theft victims face no real consequences, since they aren't liable for the charges. That's just not true.
Anyone who's been through it will tell you it's a hassle: Auto-payments must be canceled and reissued, and that never goes smoothly and often results in a late fee or two. Card numbers must be memorized again for use on the Internet. And there's that odd feeling of violation most people feel.
The pain of stolen debit cards
But another element that's not discussed enough is the repercussions of stolen debit card numbers. Consumers have been trained to use debit cards/check cards just like credit cards, so whenever there's a heist of credit card numbers, a certain percentage are debit accounts. In this case, there were 96,000 debit cards among the stolen credit cards. For those victims, the problems are much more severe.
Having your debit card stolen is akin to having your checkbook stolen; and in fact, many victims have to order new checks, since their checking account number has been exposed. New checks cost $10-$15, and while DSW paid for some of those fees, consumers paid, too.
Meanwhile, debit cards don't have the same limits when used as credit cards -- in other words, if someone steals your debit card and uses it at a Wal-Mart, he can drain your entire bank account. Since the money is now gone, it's up to the consumer to recover it through dispute processes. That's a much bigger headache than disputing a simple credit card charge -- because consumers never have to lay out the cash for those.
Is your company protecting you? Ask some questions
While DSW has admitted no wrongdoing in its settlement, it did agree to an outside audit every two years for the next 20 years. The audit will be similar to the one Tom Costello will unveil on "NBC Nightly News" tonight.
There isn't much a consumer can do to assess the security habits of companies that hold their personal information, but there are some tea leaves to read. Asking about the firm's privacy auditing practices is a good start. Talking to customer service representatives will give you a good sense of how seriously companies take the problem. If they hassle you with a bunch of questions before letting you access information, say thank you. If they seem unconcerned, or volunteer too much too soon, say goodbye.
Consumers often say they are very concerned about privacy -- but some companies still haven't gotten the message. Voting with your feet, and your pocketbook, will drive that message home.