If you don’t know whether data were extracted, why say the risk of harm is low?
A breach notification letter submitted this week to the Vermont Attorney General’s Office by WorldVentures Marketing had me grinding my teeth.
According to the notification to consumers, WorldVentures recently became aware of unauthorized access to their servers. The access may have occurred from October 23, 2012 through March 14, 2013. The server held customers’ credit card numbers with expiration dates. They do not indicate how they became aware of the unauthorized access.
The firm says that they do not have any evidence that the card data were extracted. Then again, do they have any firm proof it wasn’t extracted?
“We believe the risk of harm to you is low.”
If you don’t know for sure that data were not extracted, should you write that? No.
The firm did not offer affected customers any free credit monitoring services.