Did cyberthieves actually steal credit card numbers when they broke into Egghead.com's systems last year? Egghead and its hired-gun security firm, Kroll Associates, say no. But in the past week, unhappy Egghead.com customers have told Computerworld's Linda Rosencrance that Egghead's claim is, put politely, baloney.
"My credit card number was taken and used to charge phone calls through a Moscow phone exchange," one reader wrote. "I called and e-mailed Egghead with this information. I know it came through them because I had not used this card, it was dormant, with the exception of one software purchase over one year ago from Egghead."
Another reader wrote, "I was traveling in Quebec City with friends and a restaurant manager took my credit card from me and said it was stolen. Imagine my surprise when I called my credit union the next day and they told me the Egghead database had been hacked. "I haven't purchased anything from Egghead in two years. I want to know why my credit card is still in the database after all this time -- what do you need it for?"
Good question -- and one that should be sending chills up the spine of every IT shop that runs a Web store.
Egghead.com CEO Jeff Sheahan insisted in his message to customers last Monday that Kroll's internal investigation "has uncovered evidence which suggests that Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has not been compromised."
When asked specifically about those customer complaints, an Egghead.com spokeswoman would say only that the company's investigation is ongoing.
Yeah, right. Other customers who talked to Computerworld say they contacted Egghead.com in the past when they suspected their stolen credit card numbers had been hijacked from Egghead, and got no response. Not a sympathetic word, much less a serious investigation.
It looks like Egghead.com has a problem. Three problems, actually:
Egghead.com keeps credit card numbers too long. Customers who haven't ordered from the company in years are understandably furious that their credit card numbers were still sitting in Egghead.com's systems, just waiting to be ripped off.
Sure, it's a convenience to regular customers when the Web store knows their credit and shipping information. But apparently no one at Egghead.com thought of aging off accounts that haven't been used in more than a year.
Egghead.com has no effective system for investigating customer credit card security concerns. When a customer thinks his credit card number was stolen from a Web store, that's not just a customer service issue -- it's also a red flag for IT.
Maybe the customers are wrong, and the site's database is secure. But maybe it's not. No one has a prayer of knowing unless someone is collecting complete information on each incident and watching for patterns. Yes, that's a lot of work. Apparently, Egghead.com wasn't doing it.
Egghead.com believes after-the-fact spin control is a better policy than building trust with its customers. In the past year, we've seen high-profile security screw-ups at Kaiser Permaanente, Western Union and other companies where top management bit the bullet and came clean with customers. Customers seem to have forgiven them.
But apparently that's not the Egghead way. Sure, Egghead.com is a dot-com whose stock is worth pennies these days. Maybe Sheahan figures it's safer to stonewall and pray that optimistic press releases will cover a multitude of sins.
But that's not a very good way to run a business. And it's a lousy way to manage security.