Maybe the customers are wrong, and the site's database is secure. But maybe it's not. No one has a prayer of knowing unless someone is collecting complete information on each incident and watching for patterns. Yes, that's a lot of work. Apparently, Egghead.com wasn't doing it.
Egghead.com believes after-the-fact spin control is a better policy than building trust with its customers. In the past year, we've seen high-profile security screw-ups at Kaiser Permaanente, Western Union and other companies where top management bit the bullet and came clean with customers. Customers seem to have forgiven them.
But apparently that's not the Egghead way. Sure, Egghead.com is a dot-com whose stock is worth pennies these days. Maybe Sheahan figures it's safer to stonewall and pray that optimistic press releases will cover a multitude of sins.
But that's not a very good way to run a business. And it's a lousy way to manage security.