federalcto.com The Blog of a Federal CTO


Best Buy Security Breach waiting to happen

Seems like there's one breach after another these days, and organizations are leaking data. You would think that a retailer would want to minimize this sort of thing to keep up relations. Apparently, not Best Buy.

I bought a $35 game on BestBuy.com only to find out I already purchased this earlier. So I took the online purchase, that only arrived at my door 2-3 days ago, back to the local Best Buy (the Mall of Georgia one). I handed over the game (unpackaged) and the packing slip when the gal behind the return counter asked for my driver's license. I showed it to her, thinking she just wants to verify me, but she starts typing in the license number.

"Wait, what are you doing? You don't need my driver's license number," I say as I hide my license before she finished. "Sorry, but this is required. Would you like to speak to a manager?" is her reply. "Yes, please," I say.

Christie Bee, the manager, waddles over and just says "I cannot process a return without a license." And there's no way to return something without some ID. I offer up the American Express it was bought on, but that is not good enough. I've got other things to do, and don't have time to argue with Christie about the silliness of all this, and that it violates their agreement with American Express, so I leave in a huff.

About 10 minutes ago, I came home, filed a dispute with AmEx, and told them the store is unwilling to take the return. It looks like American Express is doing the right thing, and I have no doubt they'll resolve this for me.

But the bigger question is . . . Why would Best Buy take on this risk? I understand the whole fraud issue, which is why they're doing this. But the minute they get hacked, every person's driver's license, along with street address and other info, is going to get taken. I have a Rewards Zone account, as well as the credit card it was purchased on. And this is a $35 item from long time customer.

So to Best Buy, I pose these questions to you; Why on earth would you ask me to give up my identity to you like this? Do you really expect me to trust you with this information? And why would you want to store this information in the first place? Surely you can think of a better way to handle fraud without taking something so sensitive.

Until this changes, Best Buy won't be getting any more of purchases.

Copyright (C) 2010-2011 Dmitry Kagansky – All opinions expressed are those of the respective author and do not reflect the views of any affiliate, partner, employer or associate.