Tuesday, July 17, 2007

Western Union Breach



Western Union admitted that personal data on as many as 20,000 customers was compromised due to a poorly secured database accessed by “hackers”. Names, addresses, phone numbers, and credit card information is all among the data stolen in the heist.

I looked around the Internet for an official response from Western Union and found nothing. I did notice something ironic on their homepage, http://www.westerunion.com/ though.



The section labeled “Protect Yourself from Fraud” immediately caught my eye. I guess one thing you could do is not do business with Western Union, but this won’t help you much if you are already one of the unfortunate victims!

The “Standard” Response
There seems to be some “standard” responses amongst companies that are losing data belonging to their customers. Mind you it is easy to play “Monday morning quarterback” with security breaches, but honest public disclosure, tangible assurance and change, and open communication with my customers would be near the top of my response list.

Standard Response #1:
“We are not aware of any ID theft or any kind of fraudulent use that was made from this information.” This sounds eerily familiar. Certegy responded to their recent 2.3 million record breach with “No Fraudulent Activity or Identity Theft Detected” in their press release. To be honest this means nothing to me. Just because the company has not detected any fraudulent activity does not mean that none has occurred or that none will in the future as a result of the disclosure.

Standard Response #2:
“It (Western Union) also offered to pay for one year of credit monitoring to affected customers.” From the letter sent to the victims of the Pfizer breach (17,000 victims) “support and protection package includes a credit monitoring program for one year.” I do like how Pfizer has responded although there are rumblings that they took too long to notify victims.

Western Union Breach
As I stated earlier, I still cannot find any “official” response from Western Union so it is hard to comment on their response. Among the things I would like to know are how the vulnerable database was accessed, what is Western Union doing to prevent future breaches, and any other information that can help me as a consumer feel confident that they take the security of my data seriously. The Certegy breach was a case of a criminal DBA, is this a case of an DBA with poor skills?

Content for this article refers to information originally reported by the New York Post, here.
Western Union has been in the news for a security breach before.


Feel free to comment!

1 comment:

The Trusted Toolkit said...

This is not the first breach affecting Western Union customers (publicly). In September 2000, it was reported the 15,700 customers were affected by a Web site hack. Credit and debit card numbers were included in the data stolen.

http://www.infoworld.com/articles/hn/xml/00/09/14/000914hnwest.html