This just makes me spitting mad. I created a new account with a fairly large and well-known company so I could purchase some items for us online. To my dismay, the company sent me cheery “Thank you for joining us” email that has all of my new account information–including the user name and password for my account.
What an utterly irresponsible business practice, one that makes identity theft a snap for even the most unsophisticated of online thieves.
This has become a real soapbox issue for me. I’ve had my credit card information stolen several times over the last decade. Every time it’s been by a criminal hacking into a company’s database. Companies need to get off their collective butts and take responsible actions to keep customer information safe at every step. Emailing a password to a customer as standard practice when creating an account is utterly irresponsible.
Few companies inform customers when their customer information has been hacked. Heck, according to my credit card company, retailers don’t even tell the credit card companies! It’s totally unacceptable corporate behavior. And it’s costing consumers a whole lot of money and time and energy to clean up problems that aren’t of the consumers’ making.
Zappos is a stellar example of a retailer that does it right. When they had a data breech last year, they immediately locked down all of their customer accounts. They informed customers right away about what had happened, and how Zappos was handling it. They kept customers informed, and put together a process that let every customer reopen their account in a secure fashion, with new passwords. Customers found out as part of this that Zappos had taken steps before any such breech occurred to protect customer data by separating credit card and other information apart, and encrypting it, thereby ensuring that if a breech ever did occur, the damage to the customer would be minimal. Way to go, Zappos!
As a consumer, I’ve made it a practice to contact companies when they’re endangering my identity and credit card safety. Less than fifty percent of the companies contacted take any steps to fix the problem. Guess who walks away from ever purchasing anything from that company again? Yup. Me. I vote with my dollars.
I sent the following email to the customer service division of Irresponsible Company, expressing my unhappiness regarding their business practices. We’ll see what–if anything–happens this time.
I just created an online account with XXXX as a returning customer.
To my dismay, your “Thanks for registering” email contains both my user name AND my password.
Hello? Has no one at your company who is responsible for customer accounts ever been through a course on identity theft and customer security?
Sending an email is like sending a postcard through the US Mail. Every bit of information in the email is public. So you’ve just sent my account login and password out to the world.
As a retailer, you are charged with keeping my customer information secure. Obviously, this can’t happen with this business practice in place.
I’ve taken steps to secure my own customer account with you by immediately going in to the new account and changing the password. Hopefully, I won’t see a cheery email shortly telling me “you changed your password, and your new one is: _____.”
This experience doesn’t leave me with any confidence in your corporate practices regarding how you are safeguarding my credit card and other customer information.
Please let me know ASAP what steps XXXX is going to take, and by when, to correct this situation regarding emailing passwords for your customers. I’d also like your assurance that you have taken steps to protect credit card and contact information that you are gathering from your customers.
I’ll keep you posted on anything that happens in response.