Hallelujah!

Hallelujah -- they finally got it!

Success!! My complaint got kicked up the food chain and The Company has changed their corporate practice because of my complaint! (see the original story here and round two here).

Emailing passwords- There are multiple ways a company can confirm an account has been created at an online web store. My apologies if receiving both your account and password information in one email has upset you. [Company] has taken this opportunity to remove password information from registering emails as of 9 am this morning.

(Name of Individual), Director of Marketing and Customer Service, (phone number)

Woot! Woot!

Now that’s the right answer!

Can We Say “Duh?”

Munch's The Scream, which is what I'm doing right now!

Here’s the response I got back to my complaint to The Company that sets up new customer retail accounts (including credit card information), then sends the user name and password in an unprotected email to the customers (see the full story here).

Greetings Judy,

I shared your feedback back with our web manager. Currently our website is protected with 256 Bit Encryption. If you would like more information, you can click on the padlock on the site when you visit a secure area.

(Name of Individual), Communication & Customer Service Coordinator, (phone number)

*head explodes*

And that pertains HOW?

I called the individual who sent the email, and said I was even unhappier as it was obvious that neither she nor their “web manager” had even READ MY COMPLAINT or understood the situation.

“Clueless” is (sorta) cute when it’s a movie. It’s not cute when it’s a company and their employees charged with keeping customer financial information secure.

The interaction did not go well. Clueless Company’s representative tried to fish out The Company’s Obligatory Silver Bowl and wash themselves of any obligations to make that information secure.

Wrong. Answer.

I’ll keep you informed on what happens in Round Three.

Companies Need to Make Identity Theft Hard, Not Easy

Companies need to stop making identity theft easy for criminals!

This just makes me spitting mad. I created a new account with a fairly large and well-known company so I could purchase some items for us online. To my dismay, the company sent me cheery “Thank you for joining us” email that has all of my new account information–including the user name and password for my account.

AAAIIIIEEEEEEEEEEEEEEE!!!!!

What an utterly irresponsible business practice, one that makes identity theft a snap for even the most unsophisticated of online thieves.

*headthud*

This has become a real soapbox issue for me. I’ve had my credit card information stolen several times over the last decade. Every time it’s been by a criminal hacking into a company’s database. Companies need to get off their collective butts and take responsible actions to keep customer information safe at every step. Emailing a password to a customer as standard practice when creating an account is utterly irresponsible.

Few companies inform customers when their customer information has been hacked. Heck, according to my credit card company, retailers don’t even tell the credit card companies! It’s totally unacceptable corporate behavior. And it’s costing consumers a whole lot of money and time and energy to clean up problems that aren’t of the consumers’ making.

Zappos is a stellar example of a retailer that does it right. When they had a data breech last year, they immediately locked down all of their customer accounts. They informed customers right away about what had happened, and how Zappos was handling it. They kept customers informed, and put together a process that let every customer reopen their account in a secure fashion, with new passwords. Customers found out as part of this that Zappos had taken steps before any such breech occurred to protect customer data by separating credit card and other information apart, and encrypting it, thereby ensuring that if a breech ever did occur, the damage to the customer would be minimal. Way to go, Zappos!

As a consumer, I’ve made it a practice to contact companies when they’re endangering my identity and credit card safety. Less than fifty percent of the companies contacted take any steps to fix the problem. Guess who walks away from ever purchasing anything from that company again? Yup. Me. I vote with my dollars.

I sent the following email to the customer service division of Irresponsible Company, expressing my unhappiness regarding their business practices. We’ll see what–if anything–happens this time.

Hello,

I just created an online account with XXXX as a returning customer.

To my dismay, your “Thanks for registering” email contains both my user name AND my password.

Hello? Has no one at your company who is responsible for customer accounts ever been through a course on identity theft and customer security?

Sending an email is like sending a postcard through the US Mail. Every bit of information in the email is public. So you’ve just sent my account login and password out to the world.

As a retailer, you are charged with keeping my customer information secure. Obviously, this can’t happen with this business practice in place.

I’ve taken steps to secure my own customer account with you by immediately going in to the new account and changing the password. Hopefully, I won’t see a cheery email shortly telling me “you changed your password, and your new one is: _____.”

This experience doesn’t leave me with any confidence in your corporate practices regarding how you are safeguarding my credit card and other customer information.

Please let me know ASAP what steps XXXX is going to take, and by when, to correct this situation regarding emailing passwords for your customers. I’d also like your assurance that you have taken steps to protect credit card and contact information that you are gathering from your customers.

Best regards,

JAS

I’ll keep you posted on anything that happens in response.