A subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents.
The May 2007 incident has prompted Disney to send out letters to an unspecified number of customers informing them about the breach.
Disney did not respond to requests for comment about the incident. But Brad Van Duser, an Atlanta-based customer of the company's movie club, received the letter and made it available to Computerworld. The letter is dated July 6 and signed by John Flynn, vice president of online digital and directing marketing for Buena Vista Home Entertainment, a division of The Walt Disney Co.
In it, Flynn said the incident involved an employee at Alta Resources Inc., a Neenah, Wis.-based outsourcer working for Disney. According to Flynn, the employee sold credit card information including names, addresses, credit card numbers and expiration dates to law enforcement authorities in an undercover sting operation. Flynn said Disney had been assured that card security codes, such as the CVV code, had not been compromised in the incident.
"Law enforcement officials have informed us that there is no indication that your information was used to make improper purchases or sold to anyone other than federal law enforcement agents," Flynn said in his letter. "Nevertheless, in an abundance of caution, we have informed representatives of Visa, MasterCard, American Express and Discover of these events."
The letter urged recipients to contact the financial institutions that issued their credit cards if they had any questions regarding their accounts. But it did not mention any free credit monitoring services, an option many companies have offered in similar situations.
Van Duser said he was surprised by the incident. "As a customer, what surprised me the most was that even after all of the security breaches reported in the news recently that a large, reputable company like Disney had not taken steps to thoroughly protect my credit card information," he said in an e-mail. "And then when the breach occurred, they didn't offer a credit monitoring or other service."
The Disney incident is the latest in a seemingly endless stream of breaches being disclosed by major companies this summer. Just this week it was disclosed that Kingston Technologies Inc., a maker of computer memory technologies, sent out letters to about 27,000 customers in connection with a September 2005 data breach that the company did not discover until recently. Western Union made a similar disclosure, announcing that it was notifying about 20,000 customers of a potential compromise of their personal data following the discovery of a database intrusion.
Such incidents have heightened consumer concerns and pushed several states to consider or enact laws requiring retailers and other entities handling credit card data to implement safeguards for protecting the data. One of the most closely watched of these laws is California's proposed AB 779 legislation, which would require breached entities such as Disney to disclose more details about security breaches, including a description of the categories of personal data that might have been compromised. In addition, the law would also hold breached entities financially liable for the costs incurred by banks and credit unions to notify customers of a breach and to subsequently block and reissue cards.
This story, "Disney Warns of Data Leak" was originally published by Computerworld.