PlayStation or PlagueStation? Another Lesson to be Learned About Internet Privacy

PlayStation equipment bundle

There’s a lesson to be learned from the Sony PlayStation Network debacle. When a high-tech company like Sony can’t keep subscribers’ personal information confidential, how can we trust relatively small businesses to do so? Sony announced, after keeping its corporate mouth shut for a week, that someone hacked into its data base and gained access to, oh, just about 77 million personal files that include names, addresses, phone numbers, birth dates, passwords, login IDs, and may have also have grabbed credit card numbers and expiration dates. In other words, their PlayStations may turn into “PlagueStations”.

In a moment I’ll offer some advice to PlayStation Network users. But first let’s talk about what kind of information people should be sharing with commercial companies.

            In 1998 or thereabouts, when I was the consumer reporter for a TV station here in the Bay Area, I received a call from a distraught viewer who, while passing a dumpster, noticed that the bin was overflowing with bundles of what appeared to be application forms. It turned out they were forms for consumers who wanted to rent tapes from Blockbuster Video. Each form contained the customer’s name, address and credit card number. The forms also asked for driver’s license and Social Security numbers. Remarkably, most of the applicants had filled in those spaces as well, although doing so was optional.  Anyone passing that dumpster could have obtained personal information on thousands of people and gone to town exploiting this vital info. Many of these applications had been completed by educated and professional people.

            Fortunately, as soon as we aired the report “live,” both Blockbuster’s regional manager and the Campbell, California police force showed up to secure the site. The upshot is this: your information is never secure. So the more of it you share, the more likely you’ll have your identity stolen and by nefarious nabobs of negativism (shout out to the late Spiro Agnew). Why would Sony need a person’s date of birth or phone number?

            This is the advice, in part, that Sony is giving its customers:

“At no charge, U.S. residents can have . . .  credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file.”

Users are advised not to respond to emails and phone calls that ask for personal information and that they carefully monitor their credit card statements for irregularities; unfamiliar charges in particular.

Last week, I wrote that OSH (Orchard Supply Hardware) stores in California now require that customers allow OSH personnel to run consumers’ driver’s licenses or military ID or passport through a card reader when returning purchases. When challenged, OSH says its database is secure. Evidently, OSH is doing this in order to track customers who return a lot of purchases. After all, it could be tempting for someone with compromised ethics to “borrow” tools or pieces of furniture and return them after briefly using them. But why does a retailer need my name, license number, address, birth date, hair and eye color, and weight in order to credit a purchase back to the same card I used to begin with?

And how trustworthy is OSH’s security? The Pentagon has suffered several cyber breaches of security during the last four years. Four years In December of 2007, a hacker gained access to the personal information of 800,000 UCLA students, staff and alumni. I guess OSH knows something about security that Sony, the Pentagon and UCLA have been unable to master.

My advice is not to give out more personal information than is necessary. I’m not sure why Sony would need anyone’s date of birth or address, for instance. Social Security numbers should rarely be required, usually only where and when required by law, as with financial records.

As for OSH’s driver’s license requirement for returns, it’s goodbye OSH, hello Ace Hardware.

Are you Willing to Swap Convenience for Privacy?

 

Orchard Supply Hardware

An OSH Store

I am downright paranoid about privacy. Getting my Social Security number from me is less likely than a cow jumping over the moon. It amazes me how easily, even in this day of rampant identity theft, consumers are willing to turn over their personal information to any web site or merchant who asks for it.

Orchard Supply Hardware, commonly known as OSH, has 85-plus retail outlets in California. Their stores are smaller than big box stores like Lowe’s but considerably larger than the typical Ace or True Value location. Some years ago OSH became a subsidiary of Sears.

There is an OSH just three blocks from my house and I have often joked that if I had an employer I would ask for direct deposit, not to my credit union, but to OSH. I have bought everything from power tools to screws to plants at that store.

I recently returned a 2 ½ gallon jug of driveway cleaner to the store and was asked for my driver’s license. I showed the license, still in my wallet, to the staffer. “I’ll need you to take it out of the wallet,” she remarked.

            “Why?” I responded, as if I didn’t suspect what was coming, much to my chagrin (I brought my chagrin along on this trip as I always do. My chagrin hates to be left alone at home).

            “I need to run it.”

            “Gee,” I thought, “She’ll definitely win that race. My license has no legs.” But what I said out loud was, “No.”

            “Excuse me?” she interrogated.

            “If I let you enter the information on my driver’s license into your computer, it will go into a data base. There, anyone who works for your company can access all my personal information. And if a hacker gets into your system they (Ed. note: yeah, I know, bad grammar) can steal my identity.”

            “We use a company to maintain the database and it’s secure,” she politely retorted.

            “If the Pentagon can’t keep its data bases secure, and UCLA had 300,000 personal records hacked, I somehow believe that OSH’s database can be hacked into as well,” I rejoined, not that I ever joined anything to begin with.

            Here’s the Reader’s Digest version of this rest of this epic tale. Store policy: no refunds without driver’s license.

            “But California requires that all such restrictions be conspicuously posted near the cash register.”

            “But the new policy is on the back of the receipt.”

            “Did anyone point it out when I made the purchase?”

            Here comes the store manager.

            I explain my concerns, i.e., giving OSH my name, address, date of birth, driver’s license number, hair color, eye color, etc. And since you did not make me aware of the return conditions, you have to pay up.

            “May we at least copy down your license number?”

           “OK.”   Here’s the upshot. Most people I know say they would never hand over this info, but they don’t have the cojones to stick to their guns. Because I stick to my guns, I often complicate my life, like when my new dermatologist’s staff said they could not process my insurance claim without my SSN, even though my health insurer does not even want to know my SSN. So I had to seek reimbursement through a claim to my insurer, which claim they lost, then forgot to act on the second submission, then had to reimburse me through payment back to the doctor. And it took seven freakin’ months!           

         So I called OSH headquarters. Mind you, this is a company that was started in 1931 as an orchard farmers’ cooperative in the town of San Jose. San Jose is now America’s tenth largest city. Company headquarters is just a few miles from my home. I want to support a business that employs local people. And I expressed this desire to Barbara, the company customer service gal. Why, I wondered out loud, do I not need show my driver’s license when I use my credit card before walking out of the store with $200 worth of stuff, but I do need to have my personal information recorded when I ask that the return be credited back to the very same card?

            Barbara was flummoxed, if that means what I think it means. And when I told her that although I had shopped at this OSH hundreds, if not thousands, of times, I would not be likely to shop there again, until they dropped the driver’s license requirement. She said she would pass my concerns onto management. I’ll be writing more about that type of process in large corporations in an upcoming blog.

            So here I am, about to leave for The Home Depot to pick up a dishwasher discharge hose, lamenting my trial separation from OSH, the local company swallowed up by the big-name retailer; the company that was once my local hardware store and is now just hard.

            But I rest assured that my ID will not be stolen, at least not because of OSH’s unreasonable demands.

  • P.S.  – I am a commissioner on the all-volunteer Santa Clara County Advisory Commission on Consumer Affairs. I have just requested that this issue be placed on our next meeting agenda and that we ask the county board of supervisors to recommend to the state legislature (after all, what else does the State of California have to worry about?) that they outlaw this type of invasive refund requirement. So there.