A number of Future Shop customers received an e-mail early on the morning of June 7 from the Burnaby-based electronics retailer, indicating their credit card information had been compromised.
“Due to an oversight on our part, our database of all our credit cards used in our stores and on our Web site has been compromised,” the e-mail read. “If you have used a credit card on our Web site or in one of our stores in the past three years, you should contact the card issuer as soon as you can and tell them to issue new account numbers and cancel the old ones.”
The e-mail, complete with a typo and spelling error, went on to list telephone numbers for card holders to call to cancel their cards, and was signed by the company’s president and COO, Kevin Layden.
As customers nation-wide opened and read the e-mail, called the chain, sent e-mails to the retailer and cancelled their credit cards, what they didn’t know was that it was all a hoax.
The company had recently hired a third-party mass-mailing vendor to send broadcast e-mails out on behalf of the company, according to Future Shop spokesperson Lori DeCou.
“The perpetrator was not able to retrieve those e-mail addresses,” DeCou explained. “All they were able to do was to instruct that service provider to send out the fraudulent e-mail, and it sent it out to about 10,000 customers across the country.”
DeCou explained that Future Shop and the RCMP are trying to track the culprit down, so the company does not want to reveal the name of the service provider as it may compromise the investigation. Credit card information was not released to the mailing company, she insisted — that information is kept only at Future Shop’s offices in a secure environment.
The retailer’s head office is located on the West coast, which meant that East coast customers were reading the fraudulent e-mail before sunrise in the West.
DeCou said the company became aware of the dilemma by about 7:30 AM PST, and assembled a task force as quickly as possible. Confirmation of what had happened was received from its security personnel and police by approximately 9:30 AM. A press release was issued at noon that same day.
The company was unsure of which addresses had received the e-mail, so it contacted credit card companies, banks, stores and customer service representatives, DeCou explained. Customers could then be informed that the e-mail was false and that credit card information was still secure.
It was not until the evening of June 8 that the recipients’ e-mail addresses were obtained by Future Shop, and it issued an e-mail out to those people on the morning of June 9.
But Richard Zorzit, a Web specialist for Toronto-based ITworldcanada.com, said he did not find out about the hoax until it was too late. A one-time on-line Future Shop customer, he received the fraudulent e-mail first thing in the morning. He immediately called a local store, which he said knew nothing about the situation. Zorzit was worried, so he contacted his credit card company to cancel his card, and it too was unaware of any fraud.
“I was very inconvenienced by this,” he said. “The first time I called up the Future Shop store the customer service person knew nothing. It wasn’t until two hours later when I called a second time that they said it was a hoax.”
DeCou insisted that according to information the company has obtained from banks and credit card providers, only 50 credit cards were actually cancelled. Approximately 2,500 queries and calls from customers were received, she added.
There are measures that should be taken by firms which intend to use third-party companies, according to Chris Byrnes, a vice-president with the META Group in San Diego, Calif. He said testing is one option, which involves running a security test against third-parties’ computer systems. Another option is to use bonding.
“Make sure that the organization you are dealing with has a bond in place — a significant money-oriented bond — that will pay out in case of this type of damage.”
The pay out of the bond is irrelevant, he pointed out. It is the fact that the company was able to qualify that is important, because that “indicates it’s not some kid in a back room.”
A lot of e-mail resender organizations are in fact very amateur organizations, and security is not at the top of their lists, he said.