Ask HN: Altrec security breach letter?

2 points by warmfuzzykitten ↗ HN
My wife received a letter, ostensibly from Mike Morford, President & Founder, Altrec, Inc., stating the following:

"Altrec was initially contacted by American Express concerning the fraudulent use of a small number of American Express cards that had been previously used at our Website. In collaboration with American Express, we engaged a leading forensic security firm to identify whether our systems had been compromised and to remediate any possible concerns. After a detailed investigation the forensic investigators could not locate any forensic evidence of a security breach. However, we discovered that your American Express account number, expiration date and four digit security code, and associated information (including your name and address) were being stored in our database. If our systems were illegally accessed or used in an unauthorized manner, your personal information could have been compromised sometime between June 2010 and March 2012."

Even though the letter says no evidence was found of a security breach, it goes on to say, "We've addressed the vulnerability found internally and by the forensic investigators, deleted all card information," and etc.

Now, the obvious remedy, if one believes a credit card has been compromised would be to identify the card, e.g., with the last four digits of the card number, so the cardholder could ask to have a new card issued and the card canceled. But oddly the letter does not suggest that, or identify the card in question, but instead goes on to offer a "complimentary one-year membership of Experian's ProtectMyID(TM) Alert."

It seems absurd that either Altrec or Experian would be engaging in a scare tactic mail-order campaign for an identity protection service. Nonetheless, the letter doesn't quite ring true.

It seems possible that people here involved with security issues are aware of the situation. Usually, potential security breaches like this are made public, but I can't find anything about this one.

Is this on the level?

4 comments

[ 5.8 ms ] story [ 15.5 ms ] thread
I don't know anything about this breach, but I did find this[1]. It doesn't really have much more data, but it does include a link to a ca.gov site hosting a sample letter (which probably looks nearly identical to yours).

As far as the credit watching goes, it is not uncommon. I know of a college that lost a bunch of student information did the same thing. Basically the school (or company in this case) in question pays one of the credit institutions to give everyone affected a year of credit monitoring service. I don't know if it actually helps the company in terms of liability, but at least it is a positive PR decision.

I'm not sure why they don't suggest cancelling the card. Maybe someone like AmEx is afraid of people leaving them completely instead of just getting a new card? Feel free to call AmEx and get a new card. Can't hurt, right?

And finally, no, security breaches like this usually are not made public. Actually, it is suspected that most breaches are not reported to anyone at all. For companies that do decide to comply with disclosure laws, they send out letters like this, but usually only to the potentially affected customers (not publicly). When you see something like this in the news, it is either the rare case that the company did announce something publicly, or the more common case where someone like you receives a letter, then runs to the nearest high traffic blogger/news source to report the story. As you can see on http://datalossdb.org, there are multiple incidents being reported every day.

Good luck!

[1] http://datalossdb.org/incidents/6752-amex-notified-company-t...

I definitely bought something with an AMEX card on Altrec, and someone definitely used that card to buy access to a Christian dating site, of all things, a couple months later. AMEX called me in regard to the fraud a month or so ago and I got a new card.

I'm inclined to believe that this is legit, but it's kind of crazy that all they offer is credit monitoring, which I only now feel like I need because they screwed up. I want a new tent or something.

That's not very Christian-like.
It's legit. I got the same letter from Altrec yesterday...about two weeks after American Express fraud alert contacted me that my card was used on some UK based sites and random other places. It was cancelled and a new one issued. I had made a couple purchases at Altrec this past fall.