Some reputation hits are deserved
Access Securepak explains its service as a “program designed to allow family members and friends to send packages to inmates.” On Monday, their parent corporation, Centric Group, notified the California Attorney General’s Office of a breach that may have started back in August 2010 but was only recently discovered. The irony of a company name that includes “Access Secure..” having had an undetected breach for over two years will not be lost on readers.
In their letter to consumers, Centric Group writes, in part:
On approximately December 13, 2012, Centric Group, L.L.C. learned that certain [Card Brand] credit card information that you provided to purchase items on our website (www.accesscatalog.com), including name, credit or debit card number, expiration date and card verification code, may have been accessed without authorization by a third party, beginning in August 2010.
Left unanswered by their notification are the following questions:
1. How did AccessSecurepak/Centric first learn of the breach in December? Did a customer report card fraud or was the breach detected internally, or…?
2. What was the nature of the compromise? Was this a hack, or malware-exfiltration or a rogue employee of a vendor stealing information or…?
3. Have there been any reports that credit card information was misused?
4. Why were they storing credit card information in violation of PCI-DSS standards, and why were they storing credit card information from transactions over two years earlier?
Their letter states, “We are sending you this letter as a cautionary measure, so that you can be proactive in monitoring your credit card statements.” I’m not sure how people whose information was stolen two years ago can be truly proactive at this point, although if the breach continued into December 2012, more recent customers can be proactive. Customers were not offered any free services as Centric’s expense.
Post corrected to indicate that email was sent to Access Securepak and not Centric Group.