This entry will be pretty short. I got a replacement credit card in the mail the other day. I thought it odd, that the issuer would renew it so soon. When I activated the card, the automated recording informed me that I was being issued a replacement card because a merchant had notified the issuer that a data breach (i.e. compromise) had occurred. I pressed zero after activating the card to talk to a customer service rep. The CSR was ignorant of the situation even after I briefed him. He couldn't tell me who the merchant was. I don't use my credit cards that much, so I can likely narrow the list down, but it bothers me that the credit card issuer would not give out that information to its customers. Most people would think that the credit card company was looking out for them, but in reality, the credit card company was looking out for itself and the merchant. If the law said that I was liable for all the charges on the card even if I didn't make them, the credit card company would have done nothing. Since the credit card company eats all fraudulent charges after the first $50 they did the prudent thing and replaced everyone's credit cards that were affected. I still find it atrocious that the bank wouldn't see fit to inform its customers of the offending merchant. Keeping your customers in the dark is setting them up for further losses down the road with the same merchant. Just because they got burned once doesn't mean that they've necessarily learned their lesson and fixed the problem. I wouldn't do business with a firm that lost my credit card information especially since if they are a brick and mortar store, they are not supposed to keep transaction data at all.
Labels: data breach notification lax security