> who had their names, financial account numbers, and credit/debit card numbers, including security codes, exposed.
Delta Dental should be rightly and truly f'd for that one. Storing security codes at all is totally forbidden by PCI rules. Delta Dental should have their ability to process credit cards completely revoked for this egregious breach.
It's totally forbidden by PCI rules as well as common sense. Wayyyy back in 2002, I worked at a startup making a billing product. A customer asked for a screen to be able to see CC numbers for their own customers, and our response was a flat no. Any sensitive data was encrypted and sequestered, and security codes were absolutely not stored.
In my current role at a startup, when a conflict between schedule/time or convenience conflicts with proper data security, I ask people to envision how our processes would look as a news headline or would fare in a legal discovery.
Out of curiosity, and without naming names, what is people's typical response and what is the dynamic? Data security is hardly ever convenient, and most often vies for resources with other features or quality improvements, especially in a startup seeking to make its fortune. Can people even imagine breach ramifications without having been previously burnt, or is the main incentive to be able to tout compliance?
> what is people's typical response and what is the dynamic?
Not the OP. One place, a few times when I was doing an integration with a large company, I discovered a grave security flaw in the customer's systems.
One time, had I done the integration despite the flaw, it would've required me to knowingly code some obviously 100% wrong use of cryptographic protocol.
When I started to tell the director to whom I reported, I felt an initial "oh no..." mixed with skepticism, from hints in their voice. So I explained, and answered their questions.
Then they seemed to switch from dread, to solving it. Instead of quietly taking the client's money, they halted integration, and put together a presentation for the customer, telling them how part of their security had a grave problem. (Possibly awkward, because it might've been a team internal to the customer who had made such a mistake on something so sensitive.)
I'd say that the dynamic in that case was what you'd like to imagine from engineers who'd risen in influence: acknowledging the problem, understanding and doing the right thing, when it had to be done, even when they wish it didn't.
I've also seen other dynamics, in which pointing out what should be showstopper problems didn't go as well.
I assume that the most common in business as a whole is a variation on: someone doesn't want to hear about it, because (put broadly) acknowledging it would conflict with business goals or their individual goals. Example conflicts: don't get a sale, slip the schedule, fail to meet some individual OKR/KPI, or expose an earlier mistake of the individual.
Also, the dynamic doesn't have to come down to conflicts between plausibly rational motivations (for business or self). Egos and irrational cognition are also parts of our collective human situation, and an individual's particular traits (or a personal challenge they're going through) can sometimes lead to that taking over decisions. It happens, and we should try to realize when that's the cause (rather than just an attempt at cover for some rational motive they don't want to state), so that we can try to get to rational decision-making.
A different thing, or a complication: There are also be dynamics in which an 'ambitious' person in an org, not naturally involved in the situation, uses the situation to grandstand or hit a rival. And obviously this can affect the dynamics for people who are involved (e.g., person A would normally do the aligned thing for the company, but it's more complicated now that B will twist that to gun for their job). Fortunately, I don't immediately recall seeing an egregious example first-hand, but have heard of it.
> or is the main incentive to be able to tout compliance?
At the time I joined, the existing goals were around compliance and checking boxes on security questionnaires, which is exactly the problem I'm trying to solve. Specifically, compliance was driven by the IT/Infra teams and mostly around access to access to cloud infra. That's obviously useless if a db server is locked down and change managed, but the software access the data isn't.
So, the bulk of my efforts in this area have been around bridging the gap from checking boxes to actual compliance with various standards. Fortunately, we rely heavily on data, so it's not a hard sell to properly protect things.
In general, people receive the questions well, as it makes the strong point that there's a big gap between checking a box that people in sales & marketing care about, vs. how any issues arising from not having "real" compliance would be catastrophic and business ending for a company of our size.
In 2002? Probably something now-crazy like “how else will I process returns?”
It is not directly related, but as a hopefully funny semi-related anecdote, the federal government stopped states from putting social security numbers on drivers licenses in 2004. Renewals frequency depends on the state, but it is typically in the 4-8 year range, so plausibly until 2012 people were going around showing their SSN to anybody that needed to see ID.
I specifically remember this caused stressful situations as a teenager working retail, people justifiably didn’t want to show an ID when doing returns because it had their SSN. A credit card number is hardly anything comparably!
This all seems absurd nowadays, but the past is not really that long ago.
In 2002 my school (Kent State) was in the process of phasing out SSNs as student numbers. I was working as a student IT employee in one of the departments and spent quite a bit of time updating systems to remove the use of SSNs.
Well into the 2000s it was routine to find unredacted SSNs in public Federal bankruptcy filings. Likewise, the old Congressional Records contain thousands of SSNs of newly promoted military officers. Librarians have spent a lot of time tracking these down in their archives to redact them.
A fly-by-night IT training/certification/voucher reseller I worked for around that time saved customer billing information as a convenience.
No joke-- credit card numbers, billing addresses, CVV codes, all stored in plaintext in an Access database. Tiny shop though; I don't know if they were big enough for PCI to even apply.
Storing the CVV would be very bad, but the form they’re linking to is ambiguous:
“Information Acquired - Name or other personal identifier in combination with: Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account)”
I use delta dental. What does this mean? Why would they store my CC info when I’m paying directly to my dentist and delta dental is also paying the dentist?
How does my CC info get transferred to the insurer? There’s no such transaction afaik.
That's a good point. The best way to not leak a secret is to not have the secret in the first place. I don't know anything of PCI rules but I would imagine there is a way to implement the feature "store this credit card information for future purchases" without storing the raw credit card information.
Yes, you ask for an authorization token for recurring payments from your payment provider if you intend to make subsequent charges from that card. Then you store that token only (and maybe last 4 digits of the card for the customer’s convenience) and use the token without any other card information to make charges.
I assume they kept these in a database, which was sent or exported in some way to use Move-IT to transfer somewhere else. The hack was at Move-IT's servers I think, which allowed people to read the contents. The question I have is was this information encrypted by DD or did they just assume Move-IT was safe? If the latter, it's pretty stupid.
I’ve done a lot of research into HIPAA (I work in a dental-adjacent field) and my guess is that it’s almost certainly the latter – an assumption, maybe based on something they were told. But it’s still on them regardless of whether they were deceived or simply didn’t ask.
There have been very few dental practices who have paid fines for HIPAA violations and one that stands out is one who hired a document shredding firm to destroy old paper patient records. The shredders pick up a bunch of files and just drove around the corner and hucked them into an open dumpster where they were found. The dentist was fined as the result of their assumption that a document shredding firm would, you know, shred documents.
Not USA, but we had a case where the discarded unshredded health files somehow ended up being used in a movie shoot for “special effects” and strewn all over a street somewhere.
Hey come on, when Target had their data breach in 2015 due to massive negligence and incompetence, the largest data breach ever to date, they had to pay about 1.6% of their average net income at the time in penalties. I imagine Delta will pay less than that since, you know, it isn't as bad.
That would just force the company to form back up with the same people under a new name. Unless individuals can be held responsible, there's nothing we can do about it.
I used to work at a medium-sized non-tech company (<200 employees) that had a fair amount of IT staff. Stripe is expensive asf and we always talked with banks and payment processors directly.
We never stored CVVs or any of that insane nonsense though. Our systems only ever saw CC info in transit but they were never stored on-site.
God I miss that company. Working with smart people is great.
I was going to ask something similar. Especially US companies seems rather fond of storing credit card information, but I never seem it done in Denmark, regardless of the size of the company. The most common solution is to let your payment processor deal with those sorts of things, you just have a token, which can only be used to deposit money into your account. So even if it's stolen or leaked, you can transfer the money back, they can't be transferred to a third party.
Why on earth you'd want to deal with credit card information and the attacks it attracts is beyond me. It's not like you're locked to the your provider, the tokens can be transferred... Not easily, but it can be done.
And no, companies would never pay Stripes asking price. You can negotiate much much lower rates with companies like Valitor/Rapyd or certain banks.
For a long time, payment processors in the US would charge more to offer tokenization services. Cost-conscious companies with an eye on their unit economics reacted in predictable ways.
> Cost-conscious companies with an eye on their unit economics reacted in predictable ways.
That seems like the likely explanation. I don't know what the additional cost would be, but with 7 million customers, it could be a million dollars a year in saving. That would require you to be able to be PCI compliant for less than that amount and the risk is still considerable, you could lose your VISA or MasterCard contract pretty quickly and then you're out of business.
We had a situation where scammers would use our site to check stolen credit cards, we got at most 7 days to handle the problem or VISA would close our account. I'd imagine that failing out of compliance would hit equally hard.
> Storing security codes at all is totally forbidden by PCI rules.
It's kind of silly though. They are no more "secret" than your credit card number itself or expiration date. Once you give it out once or hand your credit card to literally anyone, it's out. Now instead of acquiring N numbers, the hacker needs to acquire N+3 (or N+4) numbers.
...to complete a credit card transaction. At some point that record is in a computer or in your restaurant waiter's brain, so it's vulnerable to exfiltration, regardless of what part of that record gets redacted for long term storage.
We are living in a world with bozos in charge who can't seem to develop a secure payment system, so we as users need to simply assume that all information required to make a purchase on our behalf is public knowledge, and instead diligently check our records for inaccuracies. I don't sweat these "breaches" because I freeze my credit and review all my bank and credit card transactions daily now.
It's not silly. The point is that security codes are only ever supposed to be sent in transit, and the only place they are ever stored is by the issuing processor.
It's not supposed to solve every potential vulnerability, but there is a whole class of exploits, exactly like the one in the article, that result from stolen storage, that this rule is designed to protect against.
> Now instead of acquiring N numbers, the hacker needs to acquire N+3 (or N+4) numbers
This seems almost as reductive as suggesting my mechanic should keep her customers' key(k) in their cars(c) in her parking lot because instead of just acquiring c, now the thieves just need to acquiring c+k.
If we were talking about 3 extra digits on the card number, that would be one thing. But we're talking about a separate authentication factor, which seems pretty worthwhile to me. Getting that info isn't exactly a snap if you don't just find it laying around-- it's not like you can brute force it. I'd be pretty astonished if a credit card company didn't cancel someone's credit card if someone was tried a handful of transactions with random security codes, let alone enough to guess one number in a thousand.
Sure, there are undoubtedly better ways to handle these transactions, but lacking magic wands to change a giant dinosaur of an industry that should have wanted to change on its own, this is a prudent policy-based strategy to mitigate harm. Whether or not you sweat these breaches is a good way to gauge your own processes, but it's not a useful way to gauge industry-wide processes.
> I'd be pretty astonished if a credit card company didn't cancel someone's credit card if someone was tried a handful of transactions with random security codes, let alone enough to guess one number in a thousand.
If you have a whole database of them, the trick is to try one code with a thousand cards. Even so, that was a major improvement over the status quo before, which was to use the expiration date, meaning you only had to try about 24 or 36 cards with one month/year.
Their fraud detection algorithms are specifically looking for small, localized, per-transaction events with few data points as well as overall patterns-- I doubt it would be that straightforward. It might not mean you'd be targeted, but on a per-transaction basis, I there's a good chance you'd get blocked for any individual attempt even if you got a match.
I would need to hear that from someone who actually works in a CC company fraud department because I don't think it's that straightforward. I've had MC transactions declined on a card I use for everyday purchases at two stores in my neighborhood. I don't think reasoning about their transaction monitoring like someone might monitor network traffic is a good analog-- they're specifically looking for patterns in small-scale, localized events without many data points. They don't have to connect the events to stymie the fraudster's efforts.
> If you have a whole database of them, the trick is to try one code with a thousand cards
That still sounds like a crapshoot... Of those 1,000 cards, there might be 14 that have 982 as CSV, 9 that have 307, and none with 118. In other words, there's no guarantee whatsoever that any given CSV will be used in a batch of 1,000 or even 10,000 cards.
> If we were talking about 3 extra digits on the card number, that would be one thing. But we're talking about a separate authentication factor, which seems pretty worthwhile to me.
It's not really another factor in the sense of the three types of factors: Something you know, something you have, something you are. It's just more digits of "something you know" so it's the same factor. It's why 2-factor auth isn't just 2 separate passwords.
Seems to me that when you turn it into data, it pretty much all becomes "something you know." If a credit card required biometric authentication to make credit card transactions and a vendor stored my biometric signature in a database along with my credit card number, it would be no more or less secure than a 3 digit number.
There are better ways to handle it. Policy is a good interim step to mitigate damage before they're implemented.
> bozos in charge who can't seem to develop a secure payment system
Actually, the credit card system is very secure to you the consumer.
By regulation, you're not liable for anything if your card number is abused in a card not present transaction (typically the case here for numbers stolen over the internet).
I don't have any other form of payment that is as secure, so good job credit cards.
(As a cryptography and security nerd, it took me a long time to learn that while mathematically guaranteed security is very cool, sometimes you can achieve an equal result just by passing a law.)
For physical transactions, change is happening, but it’s a slow migration. Looks like MasterCard has plans to remove the magnetic stripe [1].
Online, perhaps credit cards will disappear into password managers and mobile payments (Google and Apple Pay, etc.) with ordinary businesses storing very little.
its not silly just because it can't solve all problems. It goes a long way to gas station type skimmers less valuable because you can't print a phony card from them, or the phony card you can print is limited to a subset of possible purchases. perfect-enemy-of-good yadayda.
You're not wrong, but GP is saying that 3 digits is a pretty weak 'security' code and gas station skimmers are on the tail end of the threat model compared to exfil of data at any point in the processing chain.
I tried to better clarify what I'm saying in [1]. I'm not saying the small number of digits makes it insecure, it's that "moar numbers" is not really adding anything in terms of multi-factor or secrecy. Instead of knowing N digits, you merely need to know N+M digits. It is not changing the nature of the secret.
It's a different sent of protocols, reducing the surface area of successful breach strategies. If you simply added three digits to credit card numbers but maintained the same protocols on the credit card numbers, it wouldn't improve security nearly as much. There's fewer tactics that will successfully get you N+M digits those that would get you the N digits. Most 2FA works the same way. It's not like the six digits of Google Auth add security, but the protocols around them.
To put it another way: the value of those extra three digits is that they are indeed "more secret". They exist on far fewer hard drives.
I think this topic came up a week or 2 ago, and I made an almost identical comment as you, which was why the content of my reply was fresh in my memory. Anyway, in the recent convo, a kind hn poster provided this explanation of CVV
I totally see why it just seems like "moar numbers" though, and I find them unnecessarily annoying. I wish they could reduce the complexity (maybe letters, colors or shapes, something more human-compatible), but there's just too much legacy code with too little benefit.
It is a poor person's version of a password for using the credit card, only available to people that has the credit card in their hands. Not silly at all.
I agree with you. When the secret is always collected side-by-side with the number it seems little comfort that only one part is “supposed to be stored”.
it's not supposed to be a secret in the "something you know" way, but rather "something you have" - i.e. the physical card. If they store it you no longer need the physical card for an entire family of attacks & frauds.
Yes, i'm pretty sure no more than 5% of breches and leaks gets public press.
There's so many internal company filters a breach has to go through to become public all the way from some engineer messing up and "just closing the terminal" with a beating heart hoping no one will notice - to a long chain of managers who has to send the message upwards, then the leadership approving public disclosure, all with negative pressure to not disclose because of career, stress, extra work, penalties, all the way to stakeholder value.
You're only looking at it from one end of the funnel.
On the other end you have security researchers who are active in the cybercrime underground markets, and have the same opportunity to buy stolen data as the criminals themselves.
So disclosure can come from the other end when it becomes apparent that a certain company's data is being sold, and I think almost all of it does get sold eventually, even if the initial hacker has a way to exploit it privately: After they've finished, they can make money selling the leftovers.
I would honestly guess about 0.1% of bad leaks (e.g. not just email and user name or whatever) are disclosed in the end.
It has to be really hard for the police or card providers to correlate frauds with customer databases.
And like, how do you even notice you are hacked? Unless the hacker sends you extortion messages, which I guess is the main reason for disclosure. Otherwise the hacker can tip off the an attorney and 'pwn' corporate lawyers for real. A risk the lawyers won't take even if the company wanted to.
I sometimes feel lawyers are the only group of workers with real agency ...
Well thankfully point #3 is mandatory in places with laws such as the GDPR or California or Brazil's equivalents which mandate disclosure to impacted users and publicly.
They knew about the breach June 1, confirmed June 6, but the information is only made public after almost five months, November 27? (After a "second, more lengthy investigation".)
It is absurd, and it violates the mandatory timely notification laws which are in place in many states, including Washington.
Umpqua bank was also affected by MoveIt by way of one of their fintech vendors (FIS), they didn't even bother to notify my state's AG, as required by law, nor did they provide timely or accurate notifications.
Maybe companies feel a diffusion of responsibility when there are so many others affected.
At this point I'm willing to bet that every single American -- including the Amish -- have been part of at least one major data breach. And for everyone on HN... probably at least ten.
I've been part of four or five breaches. My favorite part is the complete lack of value in the mitigations for me. I was part of the OPM data breach, and the data included was literally everything, since it was everything collected as part of my application for a security clearance. A result of that was 10 years of credit monitoring, so every new breach's offer of 12 or 24 months of monitoring is useless.
Until there are statutory damages for data breaches, and even steeper ones for failure to report breaches, companies aren't going to properly safeguard data.
> statutory damages for data breaches, and even steeper ones for failure to report breaches
If say an engineer becomes aware of a breech, would going public if their company didn’t do so within the legal timeframes to report be covered by whistleblower protections?
TBH, I know of at least one other breach that everyone got hit by too...afaik it was never made public though.
It's been a while since I was told the story, so bear with me. It was Experian. They shipped tape backups of essentially their entire consumer credit DB, unencrypted, via UPS.
UPS truck got robbed at gunpoint, only one package stolen...
Back when people got physical checks for payroll, I worked at a company that did this, and gave physical stubs to those of use who did direct deposit which was still kind of new.
Biweekly, the person handing them out would take them home to sort by floor/area/whatever to ease their work the next day.
You guessed it, one day their car was stolen, with ALL of our checks/stubs in them. And our SSN's were printed on them too.
We were given a year of credit monitoring at the credit unions, paid for by the company. And they stopped printing the SSN's on them.
The title is borderline click-bait: I have had Delta Dental insurance at every employer, so I clicked through to read more, but I've never lived in California or been employed by a California company.
People say that delta shouldn’t have been storing CVC numbers (fair point), but note that the breach was upstream of them at MoveIT, which supplies an on-prem file transfer program and cloud offerings specifically for managing PCI environments.
The real WTF is that the PCI compliance vendor’s solution led to them storing that data.
According to the article, this applies mostly or only to Delta Dental of California.
Slightly OT: Delta Dental was the company that Costco used to sell Dental Insurance through. (unfortunately, that partnership has ended with no replacement.)
Careington and Thrive both offer overlapping discount plans that (especially combined) can more than offset the much higher monthly (not low annual) prices that Delta Dental is now charging, especially for a family.
When I ask my non-techie friends about stuff like this, they really don't care anymore unless they actually get hacked, scammed, etc. It happens so often that there's now "breach fatigue". Meaning little pressure on companies to do better.
Even as a tech person, I am indifferent. I’ve adapted to a world where cards get stolen, so I never use debit, review my statements, and have spending notifications turned on for my phone. I have the apps so I can instantly lock my card. I have already learned to live in a financial castle.
It is obviously not great, but an additional breach has little marginal impact on my life.
The real question is why online credit card payments still involve using the whole card number, as opposed to some message signed by the card's private key authorizing certain spending limits for a retailer.
That’s exactly what we have in the Netherlands — there is a system where you can go to check out, using iDeal.
It gives you a QR code at checkout, which you can scan with a banking app on your phone. It shows on your phone the amount you’re sending, and to whom, with a button to approve or deny.
You can also set it up as a recurring payment in the app and say “authorize this same payment automatically in the future, up to €xyz amount”. Then you can see a list of all of your authorized recurring payments, and cancel or change them any time from the bank app.
Online retailers almost surely do better by allowing easy use of credit cards by even the least technical 5% of Americans than they would from a lower fraud system that required a moderate or higher level of technical acumen to operate.
Suppose I'm at a computer ready to buy a PS5 on BestBuy's site. What's the complexity now vs under a proposed private-key system? What's the loss in conversion rate on the latter?
I'm not sure exactly what that might look like, but if you look at crypto wallets for example, you could have a browser extension (or something like Apple Pay) that's able to custody the private key and sign transactions. Once you have it set up, it would be much easier than entering a CC number.
It's just a legacy pattern. Online credit card payments predate online banking. The whole model for US card payments online was created as an extensions of the way credit cards were used to pay via mail or telephone.
journalists don't seem to grok the fact that breaches are totally the fault of the breached site. sure, the attackers are bad people, but that's a different crime.
we need something close to a death sentence for sites that allow themselves to be breached. mandatory $10k per exposed SSN, $10 per exposed email, that sort of thing.
what would be the result? only good: sites should not be storing this data themselves. the real conversation-flip is that we need to put people in charge of their own data, and make it radioactive for data-users (like Delta Dental) to store it. this kind of data should only live in facilities that are solely run for the purpose, and which provide the data-subject with full control. who pays? not really that hard - some combination of the data-subject, data-users (transaction fees), perhaps just a governmental single payer (since we're talking tiny cost).
imagine if you could look at your data (you can't today!) and could explicitly share out bits to particular data-users. all your records (dental, tax, CC, banking).
It’s super fun and cool that dentistry is controlled by a cartel and we just let it happen out in the open. It is NOT insurance, because there is no risk pooling or coverage for adverse events. It’s just a payment plan that sets prices unilaterally.
As someone that used Dental Insurance heavily after I didn't take good care of my teeth in my 20's and previously negotiated many different Dental policies as an agent for a large employer this really isn't true.
1. I found that different Dental Insurance companies have wildly different negotiated rates and there is no real standard. Delta Dental tends to have better negotiated rates in my experience and United Healthcare's dental plans seem like they don't negotiate at all and using a specialized Dental company results in the lowest rates overall as the large health insurers are simply profiting off the insurance and don't seem to care how much they pay, which sucks when you pay a percentage for a procedure.
2. The totally covered population for dental insurance is not big enough to control the market. Generally, I found that when I wasn't covered by dental insurance, dental costs were a lot higher and you do generally receive a savings from dental insurance and they really don't have enough market share to control the market.
3. The coverage for adverse events is mostly just limited, because if you go to the dentist regularly, you generally don't have tons of adverse events within one year. I think most people will find a decent dental insurance plan will mostly cover them. Even if you exceed the negotiated rate,
I just find that in general having dental insurance is beneficial to me as a person and not a scam like vision insurance where you are generally better off finding a coupon or deal, or ridiculous like health insurance where they have manipulated the networks and deductibles so that the average person has no idea what they are buying or how to evaluate it.
My criticism of dental insurance would simply be that I think that policy holders should benefit from company negotiated rates under a policy even when a particular item isn't covered under their policy. I find that is the one area where dental insurance in general is lacking, because dental insurance takes the negotiation out of pricing and gives you the benefit of the companies negotiated rates.
I’m not sure why you say this. Maybe I don’t understand what you mean.
I have Delta Dental through my employer’s benefits and it covers all the types of operations that I’d expect: preventive, endodontic, periodontic, orthodontic, prosthodontic, etc.
If I need a root canal, it’s covered by Delta Dental (up to a point, given the deductible). If I chip a tooth, and get an inlay or onlay, that is covered. Is this not insurance? Why not?
Where I live, Delta offers a plan that essentially provides a set price list for various procedures as long as you are in network. Perhaps the person you're replying to has run into that plan and didn't realize that they also have more conventional plans.
Sidebar, but does anybody else get incensed by the fact that Delta frequently uses customer’s SSN as their account number? My dentist looked at me like I was crazy when I told them I didn’t want my account information being stored on their computers for that reason.
But maybe in this moronic system, resistance is futile.
MOVEit has been a vector for several high profile bank and government breaches in the last few months.
I really have to wonder why anyone is still using their services after yet another security incident.
I’ll never forget when a Citibank employee that processes mortgage applications asked me for my credit card over email.
They also had a “secure messaging center” that would take your message, put it in a PDF, password protect the PDF, and then send it to the email address along with instructions for them to login to the website to get the PDF password.
The list goes on of bad things banks do with security and is a blatant reminder, “rules for thee but not for me”
The entire home-buying process (in the US, at least) seems to be built on shady-looking ways to nickel and dime people. I remember telling friends when going through it that it'd be easy to scam me because I got so used to urgent requests to pay some fee for inspections or legal stuff or whatever that I'd just shell out the money without asking questions.
It's got nothing on medical billing. Seemingly random bills from entities you may never have heard of showing up months later even when you paid a shitload (thousands) up-front.
[EDIT] Oh and they may not put enough info on the bill to figure out WTF it's even for, without calling them. It'll have some uselessly-generic single-line item for what was probably multiple things, but you'll have to spend an hour on hold to find out what you're supposed to be paying for.
It’s pretty sad that after decades of such breaches, these still do damage. We have had tech, such as security keys, for some time. Even basic Authenticator app helps. These should be standard with anything remotely sensitive.
Another sad point is that there is rarely true accountability. Offering 24 months of some service is a pittance and an expense of doing business that could be factored/priced in, continuing the poor security practices.
Delta Dental is one of the worst dental insurance companies out there. I hope it goes bankrupt. They have cut benefits so much that most dentists I know have dropped them completely and refuse to take them. It has caused a bunch of headaches for us and for most families I know.
Under PCI-DSS v4.0, the card verification code, which is the three- or four-digit number printed on the front or back of a payment card, must not be retained after the completion of the authorization process. This rule is in place to prevent fraudulent activities, such as Internet and mail-order/telephone-order transactions, which can occur if card verification code data is stolen .
We need regulations that fine companies in the neighborhood of $10,000 per violation (i.e. per person whose info was compromised) plus potential prison time for company officers in cases of egregious violations, which this appears to be.
Until prison time is on the table, companies will continue to collect, store, and sell personal information and will continue to fail to implement best practices for protecting it.
Really basic security practices weren't followed. I cancelled my plan now and switching to my new primary health insurance dental plan which I should've looked at. I don't know why these companies wait for a breach before looking at their systems after all these data breaches. I mean storing credit cards is Do Not Do 101.
Great example of why you should never ever ever give out a debit card number for anything. Just about every credit card company has virtual numbers now. And even still, there's a massive difference between disputing a credit charge and replacing lost funds in a checking account.
It’s lamentable that any of this information still has value to fraudsters. Once it became clear that companies cannot safely control this data, it should have been stripped of any value by having some security token under user control provide the actual payment authorization.
Scary thing about this is that Delta Dental is multi-state entity, but Delta Dental of California is the entity that handles federal employee benefits, so it likely leaked sensitive details about many federal employees if it contained their entire subscriber base.
At this point any company still using the MOVEit service should probably be considered criminally negligent. That service has been the source of a number of high-profile breaches in 2023.
Yeah... it's a complete PITA. I also had the 'we can't freeze right now' and it took a few days of verification and eventually having to call them to get it all sorted.
My reasoning is it's better to do this before a bad person has your account rather than during.
Cool, Delta Dental is one of the few dental insurance providers the VA recommends and offers plans with. Nothing says "we support veterans" like a good old fashioned sell-off of data.
Delta Dental should be rightly and truly f'd for that one. Storing security codes at all is totally forbidden by PCI rules. Delta Dental should have their ability to process credit cards completely revoked for this egregious breach.