Update to Restaurant Depot/Jetro breach
The recent Restaurant Depot/Jetro breach that I reported on Dec. 7 provides a timely example of the issue of unreimbursed harm that consumers grapple with on a daily basis. As I continue to follow media coverage on that breach, it is clear that not only is there financial impact of this breach (the hacked card numbers have been misused), but there have been other types of as yet unreimbursed harm.
In today’s Boston Herald, Jerry Kronenberg reports how one customer of Restaurant Depot was affected:
Cris Maloof of Quincy’s Schoolhouse Pizza said scammers charged $14,000 on three of his credit cards, while his wife found her account shut off when she went shopping on Black Friday.
The bank ultimately straightened everything out, but someone contacted Schoolhouse Pizza’s utility and had the power shut off this week. That took Maloof an hour to reverse.
“It’s insane,” he said. “The inconvenience and the amount of hoops I’ve had to jump through — with the bank, with getting a new tax identification number, with everything — was just ridiculous.”
Not all of the 300,000 affected customers may have stories like that and Restaurant Depot has offered credit restoration services and reimbursement for expenses incurred, but it is not clear what happens to reimbursement for time spent and frustration.
I think Restaurant Depot is trying to do the right thing by its customers (although some will undoubtedly point out that obviously, they were not PCI compliant and could have avoided the entire mess). But at the end of the day, are customers really made whole by packages such as that offered in this case? And what about those entities that do not even offer credit restoration services and compensation? Is the best we can hope for harm minimization without full restoration and compensation? Is this the price we pay if we use plastic and trust others with our data? Or is there a better way – with or without regulation?