Why is the WSJ customer letter that follows unacceptable? Think about such issues with all companies that you deal with.
- No company should ever store credit card information unencrypted. How does WSJ protect my CC infoand why is that question not unaddressed after a security breach?
- My CC was charged last night for an auto renewal. I never want auto renewal because among other things it requires storing my CC info. And why was there no “heads up” a few days prior? It worried me coming out of the blue like that.
- How can I “protect my personal information” if WSJ and other corporations with far more resources fail at it, and fail to provide options to customers to minimize risk?
- Specifically, I was unable to delete my credit card using the WSJ web site, which also regularly malfunctions with error messages (in general). I had to phone in and be transferred to a special line to have my CC info manually removed. This is unacceptable and is in direct contradiction with the statement “Protecting our customers’ information is of the utmost importance to us”. Really? Then why is my CC stored at all (I never select auto renew), and why is there no option to remove such sensitive info right in the customer portal?
- Why do companies insist upon storing information that I do not want them to have at all?
Of course WSJ has no desire to see customer information compromised. But statements and actions are different things: risk starts with bad approaches to data retention, with the most core principle being minimizing what is stored and giving customers control over those choices, then encrypting everything else. Then communicating exactly what safeguards are in place clearly and without generic platitudes.
October 9, 2015
To our customers:
Protecting our customers’ information is of the utmost importance to us. Out of an abundance of caution, we are notifying you that we recently determined there was unauthorized access to our systems. While we recognize that no company is immune to cyberattacks, we are committed to doing everything we can to protect our customers.
To date, our extensive review has not uncovered any direct evidence that information was stolen, and we have taken steps to stop the unauthorized access. We devote substantial resources to cybersecurity and we want to assure you that we are taking additional steps to further fortify our systems.
We have been working with law enforcement as well as a leading cybersecurity firm to assist with our investigation. We understand that this incident was likely part of a broader campaign involving a number of other victim companies. It appears that the focus was to obtain contact information such as names, addresses, email addresses and phone numbers of current and former subscribers in order to send fraudulent solicitations.
As part of the investigation to date, we also determined that payment card and contact information for fewer than 3,500 individuals could have been accessed, although we have discovered no direct evidence that information was stolen. We are sending those individuals a letter in the mail with more information about the support we are offering. If you do not receive such a letter, we have no indication that your financial information was involved.
In general, it is important to safeguard your personal information. Some easy steps you can take include watching for possible phishing attacks (suspicious emails enticing you to click on attachments or links), avoiding calls or emails from unknown sources that solicit your personal information and using trusted security software that is set to update automatically. For more information on best practices to protect your personal information, please
visit https://www.onguardonline.gov/. In addition, we encourage you to call customer service at 1-800-JOURNAL
(1-800-568-7625) if you have noticed any suspicious activity related to your Dow Jones account or have any questions. If you are calling from outside the United States, please use the applicable number available in the Contact Directory section of our Customer Center.
While we are taking the appropriate actions to handle this incident, I wanted to inform you of the situation personally because I take these matters seriously and value your relationship with Dow Jones.
We regret any inconvenience or concern this may have caused. The need to stay ahead of those who seek to do us and our customers harm is an ongoing priority; we will continue to do everything we can to protect our customers and our systems.
Chief Executive Officer, Dow Jones & Company, Inc.