Some reputation hits are deserved

Access Securepak  explains its service as  a “program designed to allow family members and friends to send packages to inmates.” On Monday, their parent corporation, Centric Group, notified the California Attorney General’s Office of a breach that may have started back in August 2010 but was only recently discovered. The irony of a company name that includes “Access Secure..” having had an undetected breach for over two years will not be lost on readers.

In their letter to consumers, Centric Group writes, in part:

On approximately December 13, 2012, Centric Group, L.L.C. learned that certain [Card Brand] credit card information that you provided to purchase items on our website (www.accesscatalog.com), including name, credit or debit card number, expiration date and card verification code, may have been accessed without authorization by a third party, beginning in August 2010.

Left unanswered by their notification are the following questions:

1. How did AccessSecurepak/Centric first learn of the breach in December? Did a customer report card fraud or was the breach detected internally, or…?
2. What was the nature of the compromise? Was this a hack, or malware-exfiltration or a rogue employee of a vendor stealing information  or…?
3. Have there been any reports that credit card information was misused?
4. Why were they storing credit card information in violation of PCI-DSS standards, and why were they storing credit card information from transactions over two years earlier?

Their letter states, “We are sending you this letter as a cautionary measure, so that you can be proactive in monitoring your credit card statements.” I’m not sure how people whose information was stolen two years ago can be truly proactive at this point, although if the breach continued into December 2012, more recent customers can be proactive. Customers were not offered any free services as Centric’s expense.

I e-mailed Centric Group Access Securepak on Monday to them to ask them the questions I raised above as there’s no contact e-mail address on Access Securepak’s site. Nor, for that matter, is there any privacy policy link on Access Securepak’s site or Centric Group’s web site.  In any event, I have gotten no response as yet, but will post an update if I get a response.

Post corrected to indicate that email was sent to Access Securepak and not Centric Group.

 

About the author: Dissent

21 comments to “Some reputation hits are deserved”

You can leave a reply or Trackback this post.
  1. L M - January 15, 2013

    This date 01-05-2013 I recieved letter notification of this incident. I went to Centric Group LLC website to contact them by email. Odd that for some reason when you click on contact it reloads page and you have no way to contact them. Apparently the lights are out and no ne is at home. Sad 🙁

  2. Anonymous - January 15, 2013

    We ALL should look into a class action lawsuit against Access securpak. Its the only way companies with their heads up their butts will listen.

  3. Jon - January 15, 2013

    I recently received this letter – having no idea what it was for I ran a search and came across this post (the only search result with any further information). Also found that this is related to packages I send a family member who is in prison (wrongfully I might add..).

    This is ridiculous – I will continue to follow up on the letter (after canceling the card) and if I find anything further I’ll post back..

    • admin - January 15, 2013

      Try their hotline number: 800-416-4601 and if you can ask them the questions I listed in my post and report back, that would be great. I never received any response to my e-mail to Access Securepak.

  4. Anonymous - January 15, 2013

    Contact Access Securepak

    Our full service customer service department is equipped to handle your inquiries.

    Write us at:

    Access Securepak
    10880 Lin Page Place
    St. Louis, MO 63132

    Call us at: 1-800-546-6283

    Fax to us at: 1-866-754-2813

    E-mail us at: mailto:[email protected]

    • admin - January 15, 2013

      Yes, that’s the email address I used to try to reach them – and got no response from.

  5. Ken - January 15, 2013

    I received this same letter in my mail today. I will be going to cancel my debit card and get a new one, as well as reviewing my account. What would we need to do to get a class action lawsuit going? This is absolutely ridiculous, who knows how many times I’ve ordered from them and where my credit card information is now? I deserve payment for all the hassle I’m going to have to go through now to fix this, and I want it done ASAP. Anyone feel the same way?

    • admin - January 15, 2013

      Such lawsuits generally fail unless people can show unreimbursed financial harm. HOWEVER: if they didn’t offer you free credit monitoring and you sign up for credit monitoring to protect yourself, that would be unreimbursed harm.

      As an alternative to that approach: If you and others who are upset start calling them and demanding they provide you with at least two years’ worth of free credit monitoring and credit restoration services, maybe they’ll realize they need to do something to actually help you.

  6. Sarah - January 16, 2013

    While the hotline 800-416-4601 rang continuously for minutes without being answered, I was able to contact Centric Group directly at the number on their website (800.326.6146). I spoke to Shawn, who seemed very knowledgeable about the situation. He explained they do not store info from the entire time period–August 2010 was the earliest possible date for the breach. There have been no reports of information misuse, and it was detected internally. This is simply an alert, which I appreciate.

    • admin - January 16, 2013

      Thanks for adding some details to what we know!

  7. Lori - January 16, 2013

    I received a copy of that letter today. I had recently (2-3 months ago?) reported a large fraudulent charge on the credit card referenced in the letter. Makes me wonder if this where they intercepted my card info from.

    • admin - January 16, 2013

      Although it may be difficult to know conclusively, you might want to let them know.

  8. Mika - January 17, 2013

    I also received this notice today. Immediately I called my credit card provider and canceled the card. But what they told me was that just today someone tried to authorize a transaction from some kind of medical business and Being that I did not answer my phone after they tried to call to confirm, the transaction was declined. I was not able to get any other information about the transaction. This is just scary. If you haven’t already call your card provider and cancel any cards that you have used on this site IMMEDIATELY!

  9. Sara - AZ - January 19, 2013

    I filed two reports with the FTC today, one against Centric Group, because and unauthorized charge was on my bank statement yesterday. What is extremely concerning is that they used it on a website called peoplefinders.com in which people to data searches on other people. I’m also filing a police report and hope to get the IP address of the transaction as well as the names of those search to ensure me or my family were not among them. I had to ask for a new debit card and put a credit freeze in place with each reporting agency.

    I googled about the data breach and came to this website: http://www.privacyrights.org/data-breach
    It appears a laptop was stolen and may have been connected to this breach. Now why it took two years to discover is another story…

    • admin - January 19, 2013

      The PrivacyRights.org’s entry that you refer to is based on a blog entry on this (my) site: http://www.databreaches.net/?p=13333. Centric Software – the entity in the stolen laptop incident – is not part of Centric Group as far as I know, and there is no indication that the stolen laptop has anything to do with the Access Securepak hack.

      If someone used your card to do research on peoplefinders.com, that is cause for concern, yes. Peoplefinders.com should have logs of access to their site. Have you asked them to preserve the logs associated with your card number?

  10. NL - January 24, 2013

    I made one SecurePak purchase for my brother in July. I got the letter from Centric 1/22/13 the same day a replacement CC from the compromised card company arrived. Sure enough 12/30 a $149 purchase that wasn’t mine. I contacted the company the purchase was made from, they had the purchase under my name with the with my card even gave me the adress in VA the package was delivered to (I live on the west coast). I contacted the compromised card holder gave them the info close out the new card even though it had a new security code and reissue. Now I have to wait for the new card to finish tearing apart my statements back to July but I remember anything else funny I assuming it was the first ding a test perhaps or my card is out there on some hack site for sale. Funny enough the people in VA ordered a $149 kiddie slide. I am pissed Centric didn’t even offer free credit monitoring, just a letter your shit my be stolen good luck, BTW give us a call if you have any questions CYA. Thank god I didn’t use a debit card.

  11. JustMe - January 29, 2013

    Just like everyone, I’m also a victim. Just because we have a friend/family member incarcerated, we are also treated like them. Funny thing is that without us as their clients, they have no business!

    Best way to resolve this issue is to go to the parent co. Centric Group, LLC Revenue:$320 million http://www.insideview.com/directory/centric-group-llc
    Contacts: Douglas Albrecht, CEO & President; Lee Rashman, Exec IS/IT Mgmt (CIO); Vicki Altman, VP Corp. Controller; Russ Willey, VP-Audit/Compliance & Financial Reporting/Controls; Serra Hayes VP IT; Claire Becher, Proj. Mgr. IT; Tom Will, Mgr. App Dev

  12. JustMe - January 29, 2013

    What does the Admin mean by my posting as ” Your comment is awaiting moderation ?” I thought I did a good job posting important people to contact at their HQ since we are getting the run around? What else do you need from me? After being a victim by said company, I’m squirmy sharing any info regarding me.

    • admin - January 29, 2013

      All comments are first sent to a moderation queue so that spam comments are trashed. If they are legit comments, as yours was, they’re then approved when I get to checking the queue. Unfortunately, due to all the spam submissions, I had to implement moderation. Don’t take it personally. 🙂

  13. Me again - February 1, 2013

    My credit card was blocked by my bank in December because the received a report of someone getting some or part of my credit card info. I was sent a new credit card and the old one was blocked. I had no idea the website was Access Secure Pak. Now I can’t get onto the website but my daughter can. I am outside of the U.S.

  14. Pattilou - February 1, 2013

    Not long after getting the letter about this, I got my credit card statement and for the first time ever ( and I am old), my credit card has unauthorized purchases. Totaling nearly 2500.00, I am ski about it, the bank will do an investigation but I had to close the account, contact all my monthly bills that were paid with that card and when I called the people who sent the letter, they sounded like they could cRe less. What a mess, why did it take them two years to fins this out, sounds strange to me

Comments are closed.