BookSurge Incident: An Example of a Very Poor Way to Notify of a Privacy Breach

A friend and colleague of mine of mine told me today that he had received an email notice from a company for which he is a customer, Book Surge, which was recently acquired by Amazon. 

I had not noticed any news reports about it before I heard from my friend, but upon hearing this and doing some searching I found one lonely little article about it in the Charleston Post & Courier from August 10:

"North Charleston-based publisher BookSurge LLC said Wednesday that a hacker possibly infiltrated its computer system and gained account information on tens of thousands of its customers.  As of Wednesday, none of the 42,000 customers who could be affected had reported any problems with their personal accounts, said BookSurge spokeswoman Mary Meagher.  "We have no reason to believe that any customer data was compromised, but we have notified the affected individuals out of an abundance of caution," she said.  BookSurge has been owned since last year by Internet heavyweight Amazon.com.

Meagher declined to say what percentage of the company’s customer base the affected accounts represent. She also would not comment on how the security breach came about and how it was discovered.  BookSurge learned late last week that an "unauthorized individual" might have gained access to files on a computer server that contained credit card and other account information for some customers and authors, according to an e-mail message it sent out. It went on to say it had "no indication that your credit card or other account information" was compromised.

Meagher said the company has taken its servers offline and has started an investigation. "We’ve been in touch with the appropriate authorities," she said. 

Typically, potential computer crimes are investigated by the Secret Service, which is a branch of the U.S. Treasury.  On Wednesday afternoon, BookSurge’s Web site was not functioning. Meagher said the company is working to get the system up and running again as soon as possible.  "We take the protection of customer data very seriously and are committed to providing a safe and secure online environment for our customers and authors," Meagher said. "We are taking additional security measures to help prevent such an incident from happening again."

For security reasons she declined to say what those measures are.  BookSurge developed an "on-demand" software system that can quickly print and bind as many or as few copies as a buyer wants. It can ship orders in two days, saving publishing houses and authors the cost of printing and storing thousands of copies at a time.  The company operates next to a bingo hall in a Dorchester Road shopping center. The company was purchased in April 2005 by online retail pioneer Amazon.com, reportedly for $10 million.  While the BookSurge computer system is down, customers still can place book orders via Amazon.com, said Patty Smith, spokeswoman for the Seattle-based company.  "The servers are completely separate," Smith said."

The BookSurge site was working today.

According to my friend, the only notification he received was a brief (6 sentence) vaguely worded email on August 8.  The extent of the information provided was just:  "I am writing to let you know that we have learned that an unauthorized individual may have gained access to files on a BookSurge server which contained credit card and other account information from some BookSurge customers."

The email provided no dates about when the breach occurred. 

The email did not provide a phone number that those impacted individuals could call, they did not indicate when the breach occurred (although the news report said BookSurge "learned late last week" about the breach).

They said they had no indication that credit card or other account information was compromised, but without knowing any details about the event, how does this make 42,000 feel better?  They will likely be the ones to know if their personal information has been compromised.

Not only was the email notification vague, breach notification via email, especially *only* via email, is a very bad business decision. 

Breach notification via email should only be done

  1. if the customers have agreed to accept such types of notifications in advance by email, and
  2. as a supplement to a USPS mailed letter, and/or personal phone call. 

Numerous state-level breach notification laws indicate that email only notification should not be done, but only done only as a secondary form of notification.

Email-only notification is a bad idea for many reasons.

  1. It is highly likely in today’s spam-heavy environment that many, of not most, recipients will view such email notifications as spam and never read them, or their spam filters will delete them before they ever get to the inbox.
  2. It is highly likely in today’s phish-abundant electronic waters that many, of not most, recipients will view such email notifications as phishing attempts without even reading them and delete them.
  3. It is highly likely that a large percentage of customers, particularly within a group of 42,000, will either no longer use the email address the company has on file for them, or they may not check that email regularly, if at all, any more.
  4. Email is not a reliable form of communication.  Just because you send an email, even to a valid email address, does not guarantee it will ever reach its recipient; businesses should not make such faulty assumptions that just because you send an email it will be delivered.
  5. If the email is sent to a "family" or shared type of email address it is very possible the person who would recognize the importance of the information may never get the message before it is deleted by someone else who may have seen it first.
  6. Only sending an email…and a horribly vague and weakly worded one at that…shows disregard for the customer and appears to just be a token action being done in a sorry attempt to appease regulators.
  7. And several more reasons I decided to edit out of my typing… 🙂

There was no mention of the need for the customers to check credit reports, let alone any suggestion that they company might step up to their blunder and provide credit monitoring for the affected customers.

The email also indicated they were "taking additional security measures to help prevent such an incident from happening again."  Why weren’t these measures already in place?  If the information had been encrypted would the incident even have occurred?  What other measures should they have already had in place?

Their website has absolutely no information about this breach…another bad thing.

The Amazon site has nothing about this incident in their press releases, either.  Wonder if Amazon did any type of review of the Book Surge security program when they acquired them?

Technorati Tags









This entry was posted on Sunday, August 13th, 2006 at 8:21 pm and is filed under Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply