An employee who works for the company that processes Disney Movie Club transactions was caught trying to sell customer credit card information, Disney told its customers this week. The story echoes an incident revealed by Fidelity National Information Services earlier this month.
The employee was nabbed in an "undercover sting operation" run by a federal law enforcement agency, according to a letter sent July 6 by the Disney Movie Club to its members.
The employee did not work for Disney, but rather for Alta Resources Inc., which processes transactions and fulfills orders for the Disney Movie Club, the letter said. The employee has been dismissed and the Secret Service is continuing to investigate, according to Disney.
Like traditional music clubs, members of the Disney club sign up to receive one Disney movie each month at a discounted rate, which they can accept or return. It's not clear how many customers received the notice from Disney. Eric Maehara, a Disney spokesman, said the firm was asked not to reveal additional details about the incident, including the number of stolen card numbers. The Disney Movie Club has 1 million members, but not all had their data stolen, he said. In some cases, the stolen data included telephone numbers and e-mail addresses.
A spokesman for Alta Resources did not immediately return phone calls.
Bill Elrick of Utah was one club member who received the notice.
"My first thought was, 'oh crap, not again.' I was also a victim of the TJ Maxx incident," Elrick said. "I just got done closing my account and opening a new one. ... Now I have to do that again."
Elrick is now waiting for another replacement debit card to arrive in the mail from his bank.
"This is a hassle," he said. "I am extremely irritated."
Elrick also said he was aggravated because his data was shared with Alta Resources, a company he'd never heard of.
"I don't remember giving Disney permission to share my information with anyone," he said.
Disney says it has informed the major card associations about the incident, but that it believes consumers have little to fear. The thief apparently bungled the job, and didn't steal all the data necessary to commit most frauds.
"We have been assured that the card security code (e.g. the CVV or CVC code) for your credit card was not included," the Disney letter said.
A wider trend
Still, the incident highlights a problem companies face that gets much less attention than cases of mysterious hackers breaking into company databases from across the Internet -- the inside job. Earlier this month, Fidelity announced that 2.3 million customer records were stolen from the company by an employee of an outside contractor and sold to marketing companies.
"Although the hacker story always gets better media play, the insider threat is more dangerous," said Larry Ponemon, a researcher who runs The Ponemon Institute, a privacy consulting firm "We are starting to see more stories about malicious insiders. Perhaps they are realizing there's a lot of money to be made with this data."
Insider data theft is hardly new. In 2002, Philip Cummings stole steal thousands of credit reports while working for a company that supplies tech support to the nation's credit bureaus, for example. But companies still don't spend as much as they should to stop insider theft, said Avivah Litan, a computer security analyst with research firm Gartner.
"One case of insider fraud does as much damage as 100 hacking attempts," Litan said. "They know where the data is, which accounts to steal, and often, they have access to it."
New technologies offer hope, Litan said. So-called "content monitoring" software watches employee computers for signs of suspicious activity, such as an attempt to download thousands of credit cards. Unfortunately, Litan said, most firms are too caught up in monitoring e-mail and Web browsing abuse to pay attention to data theft. While most firms monitor employee e-mail, for example, only about 5 percent watch for signs that workers are moving data on and off of company servers.
"A lot of this is easy to catch, but you have to have policies and software in place," Litan said. "Unfortunately, most firms have very few policies in place to prevent this kind of fraud."