I think it would be fair to say that Kierkegaard & Perry Labs, Inc’s breach notification to Maryland in July impressed me somewhat unfavorably. KPL was reporting a hack that had compromised some customers’ names, addresses, and credit card numbers with expiration dates and CVV codes. Their investigation revealed that 8 customers’ information was acquired (not just accessed) by the hacker(s), who had been able to insert code into the e-commerce site.
So far, nothing unusual, and I suspect that most of the cards were likely corporate or organizational credit cards and not personal ones, but:
- KPL submitted a copy of a customer notification letter stating how they take privacy and security seriously – but didn’t redact the customer’s name and address;
- They offered affected customers only 6 mos. of free credit monitoring; and
- In their cover letter to the state, they state that their e-commerce site was hacked from an IP in Romania “through a known bug in the website platform.” After the hack, they patched their software. They do not state whether the patch was available for the “known bug” before the hack.
If you were one of their customers and read their cover letter to the state and notification letter to customers, would you feel confident that they take privacy and security seriously?