ActiveStore, a service of TryMedia, a company that ;offers small game publishers their own privately labeled e-commerce site for selling games, is notifying its customers -- both publishers and consumers -- of a breach to the ActiveStore site in November and December of 2011.
The breach has to be the worst thing that can happen to a business whose entire reason for existence is managing digital game storefronts for retailers that can't afford to build their own e-commerce sites. And it is for this very reason I wonder why TryMedia delayed notifying its customers.
In a letter sent to its customers in January, TryMedia stated credit card information processed through ActiveStore between Nov. 4 and Dec. 2, 2011, had been breached.
"An illegal and unauthorized intrusion regrettably occurred, which may havve caused y our personal information to be compromised," the letter stated.
A second letter, addressed to the New Hampshire Department of Justice and the Attorney General and dated Jan. 13, 2012 -- a full month after the incident was discovered -- stated, in part, that the “intruders may have been able to intercept and obtain cardholder names, credit card account numbers, expiration dates, security codes, postal addresses e-mail addresses and passwords to optional user accounts on ActiveStore storefronts …”
Here's what I find disturbing: The letter to the Justice Department lists all the steps the company took once the breach was recognized. TryMedia “took the affected systems offline,” and “engaged external experts to investigate the incident,” and has even “taken additonal steps to enhance our information security controls.”
All well and good. However, what is the one step the company did not take? It didn't notify its customers whose card numbers were stolen. Nor does TryMedia seem to be embarrassed by this oversight -- in the letter to the Justice Department TryMedia doesn't apologize for the delay. In fact, in the letter, which was written in future tense, TryMedia actually wrote, “We plan to notify approximately 12,456 of our users of this potential breach in the security of their personal information.”
Am I missing something here? Why did it take so long to notify those most affected by the incident?
By way of apology and perhaps reassurance that future breaches won't happen, TryMedia is offering its customers a “free complimentary one-year membership for ProtectMYID,” a company that provides credit monitoring and identity theft resolution services, typically neither free nor complimentary.
The company also gives users a toll-free phone number for those victims who want more information.
TryMedia is recommending users take advantage of U.S. law, which entitles everyone to one free credit report annually, and to consider placing a fraud alert statement on their credit card.
If all this was important information to give to their customers in January, wouldn’t it have been even better to relay this information in November or December, right after the breach occurred?
If the folks at TryMedia are out there and reading this, please contact me and I will tell your side of the story, no charge, free and complimentary.