It is quite amazing how companies can compound a difficult situation by punishing the innocent and then pointing proudly at the demonstration of their inability to rub two neurons together when it comes to figuring out the impact of their actions.
Apparently sometime in early February, credit card companies learned that someone had grabbed as many as 8 million credit and debit card account numbers from a small company that processes card transactions for mail-order and Internet vendors.
News reports did not pinpoint just when the information theft happened. At first the card companies seem to have kept the news secret, but in mid-February they told at least some of the banks that had issued the cards. The card companies told the banks that there had been no suspicious activity on any of the cards and that they were monitoring card activity closely just in case.
After a few days of secrecy it came out that the company was Data Processors International Inc. of Omaha, Neb. While the terms "security" and "privacy" do not appear on Data Processors International's home page, the company does brag about its "super secure server network" on an inside page. I guess that it has been empirically determined that "super secure" is not enough in some cases.
If an Internet-based computer hacker did the theft, as the reports have it, then anyone who uses this company should ask just why these records were on an Internet-accessible computer.
The card companies seem to have acted about as well as one could expect. When they learned of the theft they checked for suspicious activity and informed the issuing banks. Maybe they could have informed the banks sooner, but at least they did inform them.
Most of the banks also behaved quite well. Many of them informed their customers but did not panic. There was no reason to panic, because the stolen numbers were known and their accounts could be watched.
But at least one bank seems to have had a brain fart. Rhode Island's Citizens Bank deactivated more than 8,000 of its customers' cards just before a weekend. A bank spokesperson said it was to protect the customers.
Let me understand this: Credit card companies have policies that eliminate all customer risk, such as customers not being liable for unauthorized charges, and the card companies reported that there had been no suspicious activity with any of the stolen cards. Just what was the bank protecting its customers from when the bank made it impossible for the customer to use their cards to do things like buy groceries.
A bank that cannot think any better than this will not get my business but could be a valuable case study in what not to do if you have any interest in your customers.
Disclaimer: The Harvard B School does use case studies for teaching, but this one would not be believable - who could be so dumb - so its my own lesson.
Bradner is a consultant with Harvard University's University Information Systems.