Saturday, July 17, 2004

Incident: Intuit warns of credit card risk

From CNET News.com:

Intuit warns of credit card risk CNET News.com:

"Intuit, a provider of financial software and services, is warning 47,000 customers that their credit card data may be at risk after computers were stolen from a company office.

According to a letter sent to customers last week and a notice recently posted on Intuit's Web site, the theft happened in early June at the Omaha, Neb., office of ItsDeductible, a software maker acquired by Intuit last year to be part of its TurboTax tax preparation business.

Thieves broke into the office the weekend of June 11, according to the notice, and took several items, including a PC with password-protected customer data. "

Full text here ...

One thing that I find simply amazing is that the computers contained the personal information, including credit card data, for approximately 47,000 customers who purchased Intuit's "ItsDeductible" products between December 2002 and November 2003. Is there any reason why credit card data should be kept for transactions that took place over a year ago?

This highlights the risk inherent in keeping data longer than you need. Once you have sensitive data, you are responsible for protecting it. If the data has no business value, it is now a liability because of the costs of securing it and, more importantly, the cost of having to deal with it being stolen. It just doesn't make business sense to retain any personal information for any longer than you need it.

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.