

Ask HN: Altrec security breach letter? - warmfuzzykitten

My wife received a letter, ostensibly from Mike Morford, President &#38; Founder, Altrec, Inc., stating the following:<p>"Altrec was initially contacted by American Express concerning the fraudulent use of a small number of American Express cards that had been previously used at our Website. In collaboration with American Express, we engaged a leading forensic security firm to identify whether our systems had been compromised and to remediate any possible concerns. After a detailed investigation the forensic investigators could not locate any forensic evidence of a security breach. However, we discovered that your American Express account number, expiration date and four digit security code, and associated information (including your name and address) were being stored in our database. If our systems were illegally accessed or used in an unauthorized manner, your personal information could have been compromised sometime between June 2010 and March 2012."<p>Even though the letter says no evidence was found of a security breach, it goes on to say, "We've addressed the vulnerability found internally and by the forensic investigators, deleted all card information," and etc.<p>Now, the obvious remedy, if one believes a credit card has been compromised would be to identify the card, e.g., with the last four digits of the card number, so the cardholder could ask to have a new card issued and the card canceled. But oddly the letter does not suggest that, or identify the card in question, but instead goes on to offer a "complimentary one-year membership of Experian's ProtectMyID(TM) Alert."<p>It seems absurd that either Altrec or Experian would be engaging in a scare tactic mail-order campaign for an identity protection service. Nonetheless, the letter doesn't quite ring true.<p>It seems possible that people here involved with security issues are aware of the situation. Usually, potential security breaches like this are made public, but I can't find anything about this one.<p>Is this on the level?
======
colonelxc
I don't know anything about this breach, but I did find this[1]. It doesn't
really have much more data, but it does include a link to a ca.gov site
hosting a sample letter (which probably looks nearly identical to yours).

As far as the credit watching goes, it is not uncommon. I know of a college
that lost a bunch of student information did the same thing. Basically the
school (or company in this case) in question pays one of the credit
institutions to give everyone affected a year of credit monitoring service. I
don't know if it actually helps the company in terms of liability, but at
least it is a positive PR decision.

I'm not sure why they don't suggest cancelling the card. Maybe someone like
AmEx is afraid of people leaving them completely instead of just getting a new
card? Feel free to call AmEx and get a new card. Can't hurt, right?

And finally, no, security breaches like this usually are not made public.
Actually, it is suspected that most breaches are not reported to anyone at
all. For companies that do decide to comply with disclosure laws, they send
out letters like this, but usually only to the potentially affected customers
(not publicly). When you see something like this in the news, it is either the
rare case that the company did announce something publicly, or the more common
case where someone like you receives a letter, then runs to the nearest high
traffic blogger/news source to report the story. As you can see on
<http://datalossdb.org>, there are multiple incidents being reported every
day.

Good luck!

[1] [http://datalossdb.org/incidents/6752-amex-notified-
company-t...](http://datalossdb.org/incidents/6752-amex-notified-company-that-
cards-used-on-their-e-commerce-site-had-been-compromised)

------
lesscryptic
I definitely bought something with an AMEX card on Altrec, and someone
definitely used that card to buy access to a Christian dating site, of all
things, a couple months later. AMEX called me in regard to the fraud a month
or so ago and I got a new card.

I'm inclined to believe that this is legit, but it's kind of crazy that all
they offer is credit monitoring, which I only now feel like I need because
they screwed up. I want a new tent or something.

~~~
jodi
That's not very Christian-like.

------
jodi
It's legit. I got the same letter from Altrec yesterday...about two weeks
after American Express fraud alert contacted me that my card was used on some
UK based sites and random other places. It was cancelled and a new one issued.
I had made a couple purchases at Altrec this past fall.

