Back in the early days of the Internet, I wrote a story for the long-departed print magazine
NetGuide titled, "Is It Safe To Shop Online?" The answer was a resounding "yes" to folks who were
still reluctant to type in their credit card numbers on archetypal online order forms. It was at least as safe as it was to expose your credit card number to a waiter at, say, the local Red Lobster,
or to a clerk fulfilling, say, magazine subscriptions over the touchtone landline. It
seems to have gotten less safe since then, not only because hackers seem all the more devious but also
because we have put so much more information about ourselves into the billowing cloud of connectivity.
But has it? Or do companies need to do a better job not only by tightening security on the
back end but also in facing the public relations problem head-on.
The latest breach, unveiled Wednesday evening by the Financial Times, was at Citibank which, like Sony before it, was purportedly taking its own sweet
time in letting the public know that their data may have been compromised.
advertisement
advertisement
"Yet another hack, yet another delay in reporting it," reads a CNNMoney report,
putting emphasis on the fact that Citibank says that it discovered the attack in early May. "Citigroup is the latest to report a security breach, but the hack occurred more than a month ago. It's time
for companies to open up about exposures to its systems," reads the prescriptive subhed to Dan Mitchell's story.
The hack affected about 1% of its 21 million customers in North America. The
hackers gained access to cardholders' names, account numbers and email addresses, but not their Social Security numbers, dates of birth, card security codes or expiration dates. The bank has mailed
replacement cards to about 100,000 account holders.
"Citi said the breach affected credit card accounts only, but several people that the FT spoke to said their debit cards were
compromised," writes Suzanne Kapner. "These people said they did not learn of the problem until they tried to use their cards at the weekend and had the transactions denied. Citi said it had been
contacting customers whose information was involved."
Comparing Citi's delay to Sony's lag in informing customers when its PlayStation Network was breached in April by a "hacktivist" group,
Anonymous, CNNMoney's Mitchell says that corporate tight-lips are becoming "a disturbingly familiar pattern."
PBS, Fox and an F.B.I. affiliate known as Infragard have also been attacked by
hackers, Chris V. Nicholson and Eric Dash remind us in the New York Times. "And most worrying of all, perhaps, they compromised the security system of
RSA, maker of the popular SecurID."
But, relatively speaking at least, the Wall Street Journal's Victoria McGrane and Randall Smith write
that Citigroup's response appears to be "aggressive." They compare it to a situation at Michaels Stores earlier this year in which more than 100 customers didn't find out that their accounts were
being looted until three months after the fact. But "once Michaels learned of the situation in May, the crafts store says it made a prompt public disclosure and replaced the equipment," they write.
The spate of cyberattacks actually may be helping marketers in that consumers are becoming inured to the news of yet-another security breach. Several experts looking at the Sony situation
tell Ad Age's Marine Cole that this is indeed the case.
"The reality is companies are under attack," says Marketing Symphony founder and
principal Andrew Szabo, citing Google, Epsilon Data Management and Lockheed Martin as other recent targets. "If Sony had been the only one hacked into, the impact on the brand would have been much
greater. Unfortunately, they're in good company."
And just as it was when Netscape ruled the Internet and PayPal had yet to be conceived, consumers are not going to lose any of their
increasingly harder-to-earn shekels.
"The good news for consumers is that any money stolen from either their credit or debit card account is recoverable," Kapner writes in Financial
Times. But, as a Gartner Research analyst tells her, "The bad news is they are incredibly inconvenienced."
And who knows what havoc might be wrought if data like Social Security numbers
and birth dates are stolen? Companies would be wise to get ahead of stories like these, which are inevitable, and not wait for snooping reporters to come a-pinging.