Rpgnow creditcard information stolen

[molonel]

Ack! I don't mean to be rude, but shouldn't all RPGNow/RPGShop customers have gotten an email about this? Learning something like this from message boards is not acceptable, IMHO (though about on par with my past experiences with RPGNow's customer service - which generally consists of siccing GMS on people who complain). Even if a small people were affected, I think all your customers should have been alerted to keep their eyes on their statements, or better yet, remove the info from your site.

I made a purchase of about $200 worth of PDFs and print books in early September, and I am extremely unimpressed that I'm learning about this compromise of their database from a completely unrelated source. Yes, I do believe I should have gotten an email, especially since I had fraudulent activity on one of my credit cards toward the end of the year, and I'm now left to wonder if it was related. I shouldn't have to Google my own name to see if I was on that website.

 

[Timespike]

I Googled my name too, just in case. My name is only on 3 sites that I could see and I know exactly what all of them are.

Olaf the Stout

I have a "John Smith" name, so I'm okay, I think.

 

[AdmundfortGeographer]

I shouldn't have to Google my own name to see if I was on that website.

You don't have to apparently. If your CC info was vulnerable to swiping by a hacker you should have gotten an email already telling you so. Not all who made purchases with a credit card there were vulnerable, only those who chose to store their credit card data at the online store...

I'm one who was less than prudent and chose to.

I got my email this morning telling me my data was among those swiped.

 

[chriton227]

I would be very surprised if RPGNow will be able to continue to be able to accept major cards after this. The credit card industry implemented a data security standard known as PCI DSS in 2004, this mandates what security measures merchants need to use to secure credit card information. All stored credit card numbers are supposed to be encrypted so that if there is a breach of data, the data is not useful without cracking the encryption.

The credit card companies are very serious about this, and seem more than willing to fine or revoke merchant status from any company that they find that isn't in compliance. In the event of a breach, if the merchant wasn't compliant, they are in for a world of hurt. Just from Visa's end, if they weren't compliant when they were breached and any of the numbers were Visa cards, the fine is $100,000. If they didn't notify Visa immediately upon discovering the breach, there is an additional fine that can be up to $500,000. I imagine MasterCard has similar fines, since the fines are levied by the card companies, not the PCI organization.

Here are details from Visa's site: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

 

[Glyfair]

Between ebay and everything else they handle (millions and millions of transactions each month), I hear almost no nightmare stories...

With people using it to buy, perhaps. With people on the other end is different, as our own Morrus can attest.

 

[Jondor_Battlehammer]

*Bump*

Ordered a new card just in case....

Hacking should be a death penalty. So should pop-ups.

 

[Kanegrundar]

I got an email yesterday about this. I didn't realize I stored any CC info on their site. :\ At least the card that it's tied to has been canceled for a few months now.

 

[Le Noir Faineant]

Ack! I don't mean to be rude, but shouldn't all RPGNow/RPGShop customers have gotten an email about this? Learning something like this from message boards is not acceptable, IMHO (though about on par with my past experiences with RPGNow's customer service - which generally consists of siccing GMS on people who complain). Even if only a small number of people were affected, I think all your customers should have been alerted to keep their eyes on their statements, or better yet, remove the info from your site.

I am of the same opinion. Especially, since it is no great thing to find the roughly 70 pages of stolen data in the web.

Now, I neither have received mail nor seen a special advertisement at the RPGNow page. To me, this seems very unprofessional, and while I understand that people at RPGNow must be quite busy right now, I feel that the company is treating me like an idiot in holding back such information. For me personally, this poor crisis management brings up the question if I should ever use their service again.

 

[Elephant]

Me too.

My wife runs an online store from our house, and it's always surprising to me the number of people she encounters who don't want to pay by paypal because it "isn't safe." They've got no problem handing their actual credit card number to a piddly online store that know nothing about , though!

If the piddly store is defrauding them, they can cancel the charges with the CC company - the merchant has the burden of proof that you received the merchandise they claimed you bought, AFAIK.

OTOH, paypal has been known to freeze accounts for rather arbitrary reasons, which makes people wary. I don't think Paypal's actions will affect your CC or bank acct if it's not actually through them, though.

 

[Jason Anderson]

Now, I neither have received mail nor seen a special advertisement at the RPGNow page. To me, this seems very unprofessional

RPGNow have emailed everyone that was affected (ie: everyone who stored their CC info on their server). If you did store your info there but didn't receive an email, most likely your spam filters stopped it. If you didn't store your CC info on the site but your CC info was on the google cache page, please let us know (as that could indicate a more serious problem).

Last I heard RPGNow weren't going to email *all* customers (since they've already emailed everyone was was affected), but that could change.

(I agree with you that they should have a note on the front page - but I can see why they wouldn't want to. If you were visiting a merchant for the first time, would you trust them enough to buy something if they had a note on the front page that they had been hacked in the past?)

Cheers,
Jason