Thursday, November 04, 2010

Hobby Search Gives Away Customers Credit Card Numbers

One of our competitors in Japan (Hobby Search) sent this notice out to their customers recently, forcing thousands of people to cancel and have reissued their credit cards used to purchase Anime figures and merchandise directly from them in Japan:

Dear Hobby Search customer:

We are writing to let you know of a hacker or hackers that penetrated our computer system and accessed customer data including credit card information.

At the time of writing, we do not know of any of this information being available publicly. It is important to us that you, the customer, do not experience any monetary damages because of this incident, and have provided the information of all the cards that may have been involved in this incident to each of the credit card companies so that they may monitor the activity on these cards. If you have any concerns about the security of your card, please contact the card company (via the number on the back of your credit card).

Also, although we have switched to a more secure credit card transaction system that only stores the last four digits of your card on our databases on July 7, 2010, we have disabled credit card payments indefinitely.

The credit cards involved in this incident are those used in orders prior to July 7, 2010 (a maximum of 23,526 cards), and we are notifying those affected with this email.

The information that may have been accessed - Credit card numbers, expiration dates, cardholder names

We do not store personal verification passwords or security codes on our databases, so these have not been accessed. Again, we have switched to a more secure credit transaction system on July 7 that only stored the last four digits of those cards and cannot be abused by a third party. We are deeply sorry for any inconvenience or concern that this incident may have caused.

Toshiyuki Suzuki, my opposite number over at Hobby Search, cannot be pleased.

Now you all know it's a bit of a pain to re-enter your order data on our store site everytime you place an order with us - in fact, I write about it here on our FAQ - but when you do you can rest assured that because we don't maintain a public server that stores customer address and payment transaction data, the information that you give us can never be stolen or accessed by outside parties.

Anyone can tell you their public servers and/or payment platforms are secure, but are they really? How can they ever be sure? We'll, we're sure here, because we don't ever give hackers a chance.


ザイツェヴ said...

Therefore, you provide an easy way to pay with PayPal, which does not require disclosing any account information to merchant... what?

Robert said...

Customers using PayPal are taking the same risk.

Do you give PayPal your personal and payment information? What if PayPal get's hacked?

The last time I checked, PayPal requires you to store at least a credit card number on file to have an account. Many merchants at least offer you the election to store your payment info server side or not. PayPal cannot offer any better security for their customers information than any other large corporation (who seem to get hacked all the time), and unlike a merchant, PayPal often also holds their customers bank information. The level and depth of personal information that PayPal requires from their users and stores on their servers handily trumps anything a regular merchant might have.

I think any inclination about PayPal somehow being safer than other payment methods is, frankly, ridiculous.

GTM said...

I totally agree with the way your order process works, I've been ordering from you since 2003 and at first I felt that it was a pain to keep filling up the info each time but then I realized how safe this was.

Sorry I haven't ordered for a while, but might order some mangas soon :)

tenkenX6 said...

It's better to be safe than sorry, in my honest opinion. I really don't mind having to fill out the order form every time an order is placed. I've gotten quite accustomed to this practice, since I've been shopping online for a long time. Besides, no one wants to deal with the backlashes when your personal information is stolen.