70

I was recently informed, by the payment processing agency of my bank, that an online shop was compromised and that as a precaution my MasterCard credit card was frozen and replaced. There was no actual fraudulent charge.

I have inquired with my bank which particular shop was compromised, but was told that they do not receive this information from MasterCard for privacy reasons.

I feel that I am entitled to know where my private information was leaked. It does influence my decisions as a consumer. Further I have to consider that other private information may also have been leaked. The privacy argument seems pretextual.

Is it common to withhold this kind of information from affected customers? Are there any further ways to find out more about what happened?

Note: I was unable to speak to anyone at MasterCard, all attempts were forwarded automatically to the bank.

psmears
  • 180
  • 4
Tari
  • 603
  • 1
  • 5
  • 12
  • 14
    Have you tried contacting Mastercard? They might only tell the bank who has been affected, but it's possible (but by no means guaranteed) that they'll tell the customer where the details came from. – TripeHound May 30 '17 at 16:42
  • 5
    In the US this is definitely the standard practice. I don't know if Germany specifically or the EU generally has consumer laws in place to require disclosure, but the US definitely has no such laws. – quid May 30 '17 at 16:45
  • 36
    Although I agree that you should have a right to know, I also feel that a merchant should have the right to stay anonymous if they choose to. If they could not, it's possible they wouldn't report the breach in the first place for fear of losing business, and that would be even worse for everyone. Of course, MasterCard also has the right to revoke the merchant's ability to accept MC payments, if they felt that the merchant was compromised due to negligence or some other reason that could have reasonably been prevented. – TTT May 30 '17 at 16:59
  • 14
    Additionally, there might not have even been a breach. There may have been an audit of some merchant's data storage practices and though there was no evidence of a breach the merchant was removed from the network and everyone who has ever used that merchant is being issued a new card. – quid May 30 '17 at 16:59
  • 5
    What private information of yours was leaked? I'd argue your credit card number is not your private information; it's the credit card company's. After all, they're the ones getting charged through its leakage. Is your name private (can it be private?) and if you think it somehow is, was it leaked? If not, what was actually leaked? – user541686 May 30 '17 at 21:45
  • 2
    The public interest of getting companies to admit that they leaked sensitive data like credit card info vastly exceeds the private interest of consumers knowing where a leak occurred. It is also likely that in the near term after a leak, there is an ongoing civil or criminal investigation into the leak which could be compromised by revealing the victim. – asgallant May 30 '17 at 22:56
  • @TripeHound yes - any attempts to contact MaterCard so far were directly forwarded to the bank. I have to give my CC# on the phone and they will directly forward me before I can speak to anyone. – Tari May 31 '17 at 07:41
  • 1
    @TTT / asgallant: I disagree with ranking company-ass-covering over transparency towards the customer. Incentive too not withhold information should come from liability. The idea that transparency could compromise investigation is a hypothetical theory. In that case, it could still be handled much more transparently. – Tari May 31 '17 at 07:54
  • 1
    @Tari: The idea that transparency would make merchants (and/or their payment processors) more motivated to cover up breaches rather than alerting the networks may strictly speaking be hypothetical, but it is a so obvious speculation that there seems to be little point in gambling with everybody's security by testing it out in practice. – hmakholm left over Monica May 31 '17 at 09:52
  • @Mehrdad, The CC# is absolutely my private information, or to be more precise personally identifiable information (PII) that identifies me. Yes my name is also PII. Also I get charged in the first place. That is not affected by limited liability. – Tari May 31 '17 at 09:59
  • @HenningMakholm I agree that the cover-up argument is real (was referring to compromising the criminal investigation being theoretical). However, you can also easily turn that around the argument: If there was no quiet way to handle breaches, merchants had more incentive to prevent breaches. – Tari May 31 '17 at 10:16
  • 1
    @Tari: I used to feel the same way as you, until I realized I was wrong. First, when your CC is charged, that's the company getting charged, not you. You only get charged (/billed) by the CC company for authorized purchases; clearly they know this wasn't the case here. So clearly you can't get charged here. Second, private information and personal information are pretty different things, and PII is a legal term not really fully encompassing either. You were arguing your "privacy" was violated here. You might be right, but I don't see how. Read the first sentence on "Privacy" on Wikipedia... – user541686 May 31 '17 at 10:47
  • @Tari: ...it says "Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively." You could argue, say, your right to live a secluded life would be violated if someone was able to charge you for fraudulent purchases, but that clearly can't happen here. And once a credit card number is voided, it no longer belongs to you and cannot affect you. The only possible argument I see here is someone trying to correlate it with other databases later, but good luck trying to prove that as a real threat in court. – user541686 May 31 '17 at 10:51
  • 1
    @Mehrdad I never even wrote that my "privacy" was violated. I wrote that my private information was leaked. MasterCard claims that they can't disclose the leak due to "privacy reasons" (an other translation would be "data protection reasons") Also we may have a different understanding of what privacy or PPI means due to translation issues and cultural differences. In Germany the Bundesdatenschutzgesetz - which can be translated either as Privacy Act or Data Protection Act - does in fact protect the individual .. regarding the use of his personally identifiable information. – Tari May 31 '17 at 11:08
  • @Tari: If by "private information" you mean "information I was supposed to keep secret [i.e. information that was not supposed to be public]" (which seems to be what you're saying) rather than "information whose revelation can result in an invasion of my privacy [i.e. hindering my ability to live a secluded life]" (which I understood originally) then the clear answer is "this information is no longer secret and so your responsibility to hold it secret has already ended". And I'm ignoring the legal terms because I don't know what they are and I'm talking about the concepts, not legalese. – user541686 May 31 '17 at 11:17
  • 2
    @Mehrdad PII (personally identifiable information) does not have to be secret in any sense. Your name, your birthday, even your age is PII because it can be used, in combination with other elements, to specifically identify a person. Disclosure of PII is protected by law in many jurisdictions, even when it is not private per se. – Joe May 31 '17 at 18:42

4 Answers4

65

As indicated in comments, this is common practice in the US as well as EU. For example, in this Fox Business article, a user had basically the same experience: their card was replaced but without the specific merchant being disclosed. When the reporter contacted Visa, they were told:

"We also believe that the public interest is best served by quickly notifying financial institutions with the information necessary to protect themselves and their cardholders from fraud losses. Even a slight delay in notification to financial institutions could be costly,” the spokesperson said in an e-mail statement. “Visa works with the breached entity to collect the necessary information and provides payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring, and if needed, reissuing cards. The most critical information needed is the affected accounts, which Visa works to provide as quickly as possible.”

What they're not saying, of course, is that it's in Visa's best interests that merchants let Visa know right away when a leak occurs, without having to think about whether it's going to screw that merchant over in the press. If the merchant has to consider PR, they may not let the networks know in as timely of a fashion - they may at least wait until they've verified the issue in more detail, or even wait until they've found who to pin it on so they don't get blamed.

But beyond that, the point is that it's easier for the network (Visa/Mastercard/etc.) to have a system that's just a list of card numbers to submit to the bank for re-issuing; nobody there really cares which merchant was at fault, they just want to re-issue the cards quickly. Letting you know who's at fault is separate. There's little reason for the issuing bank to ever know; you should find out from the merchant themselves or from the network (and in my experience, usually the former).

Eventually you may well find out - the article suggest that:

[T]he situation is common, but there is some good news: consumers do in many cases find out the source of the breach.

But of course doesn't go into detail about numbers.

Joe
  • 35,786
  • 6
  • 90
  • 128
  • 1
    The last claim in the article I find somewhat surprising. I've never been informed about the origin event behind any of the half dozenish times I was issued a new card number. With the semi-exception of one whose timing correlated with a major middleware transaction processing entity being breached, none of them ever could be associated with a breach that made the national news. – Dan Is Fiddling By Firelight May 30 '17 at 18:59
  • 5
    Another issue is the certification Visa does on merchants to handle payment details. They absolve and protect them of any responsibility as long as the merchant adheres to the (rather strong) standards set out. Disclosing their name on request would certainly breach the spirit, if not the letter, of that contract. – Ordous May 30 '17 at 19:00
  • 6
    I think it's also important to note here that while it's tempting to think that the cardholders are the customer of visa or mastercard, it's actually the merchants that are their customers. They are the ones that pay the processing fees. It's generally bad business to go around blowing your customers in for their mistakes. – JimmyJames May 30 '17 at 21:21
  • 1
    Could you bold the main point in your second paragraph. It was hard to see where the actual answer is, but it was there: Visa needs merchants to be comfortable announcing a breech as fast as possible, and protecting the merchant's reputation is part of their process for doing so. – Cort Ammon May 30 '17 at 22:24
  • 6
    I think the entire answer is the actual answer, that's just a part of it. – Joe May 30 '17 at 22:31
  • Thanks for the article. It is unfortunate to see that Visa is no better than MasterCard. Otherwise I would have switched. – Tari May 31 '17 at 10:16
  • The main reason not to disclose are clearly exposed. PR for the merchant, not souring the relationship between card network and merchant, and because the card issuer and the bank could care less about the other data. – Mindwin Remember Monica May 31 '17 at 12:23
  • @DanNeely : I agree that claim looks unsourced, but I don't doubt that people do find out thanks to the news. This does happen. Granted, this is absolutely not something I've noticed in every case, but I have heard of such problems announced on more than one occasion. (Maybe you would need to utilize a different news source to notice this? Some of my exposure to such announcements might be IT-related news, as this subject is considered interesting because it reflects InfoSec - handling of information.) – TOOGAM Jun 01 '17 at 13:53
8

I found a german article describing the legal situation in Germany. To summarize

  • The "Bundesdatenschutzgesetz (BDSG) § 42a Informationspflicht bei unrechtmäßiger Kenntniserlangung von Daten" Roughly Privacy Act: Obligation to inform on illegal obtainment of information governs this situation.
  • Credit card information is explicitly included in the law (§ 42a 4).
  • Condition 1: It needs to be very likely that a third party has obtained the information and the company needs to know that.
  • Condition 2: There needs to be a severe adverse impact on the affected. The risk of assessing this correctly is with the company.
  • The affected must be informed immediately, but only after counter measures are performed and criminal investigation is not endangered.
  • The disclosure must give the affected a hint on the way the information was illegally obtained, and measures to mitigate potential consequences. The affected shall know that and which information leaked to outsiders.
  • If it would not be feasible to inform each affected, in particular because there are too many, they can also inform the public though at least two half-page newspaper advertisements or the like.

As outlined by the many possible reasons in the other answer, it is unclear from the information I have, whether condition 1 holds. Also condition 2 may not hold since the credit card was frozen.

I suppose this makes a good argument to MasterCard and my bank, but I also suspect they will not care unless it comes with a attorney letterhead.

Tari
  • 603
  • 1
  • 5
  • 12
  • 1
    Probably even an attorney letterhead will not matter. They have already complied with the requirements - unless there are verbiage that you have not included that requires the credit card company to disclose from which merchant the leak occured. – Taemyr May 31 '17 at 11:14
  • Well technically, the entity that stored and lost my information needs to inform me. Assuming that there is a web-shop as the letter indicates, they have not. – Tari May 31 '17 at 11:20
  • @Tari: My German isn't good enough to tell for sure, but at a glance, it doesn't look like the entity that lost your information is obliged to inform you directly, as long as they ensure that you are somehow informed of the breach. Letting their credit card processor and/or your bank take care of informing you probably satisfies their legal obligations. – Ilmari Karonen May 31 '17 at 11:37
  • 1
    Good work finding the relevant legislation, and thanks for adding it here! – Joe May 31 '17 at 18:40
  • @IlmariKaronen you have a good point. I don't know, might be something for courts to interpret into the law. A good point is also that the shop might not have (currently valid) contact information, so the way over MasterCard is more reliable. It also depends on how far telling me about the way of illegal obtainment goes. – Tari Jun 01 '17 at 15:17
7

Others have already commented on the impact of anything which dissuades merchants from raising possible breaches, so I won't dwell on that. Maybe we need stronger legislation, maybe we don't, but it doesn't change today's answer. Often it works the other way around to what you might expect - rather than the merchant noticing and notifying Visa/MC/others, Visa/MC/others spot patterns of suspicious activity (example 1).

I don't have any data on the relative numbers of who is being notified/notifying between merchants and payment processors, but at the point when your card is identified as compromised there's no reason to suppose that an individual merchant in the traditional sense has been compromised, let alone identified. In fact because there's a fast moving investigation it could even be a false alarm that led to your card getting cancelled. Conversely it could be a hugely complex multinational investigation which would be jeopardised.

It's simply not safe to assume that simply "brand X" has been compromised, therefore everything "brand X" knows about you is also compromised:

  1. They could be separate systems, so only CC info involved
  2. It could be their upstream payment processing contractor (and by implication all other merchants with the same setup, example 2 but think sagepay/worldpay/paypall etc. in the online world)
  3. (Not related to online so much) could be just one franchisee of a large franchise
  4. They may not even know which online shop, simply the type of data attached in a "dump" indicates it's likely to be online, but the only thing known so far is that your card number had shown up somewhere

Furthermore there's no reason to assume the merchant has even admitted to, or discovered the root cause. MC/Visa/Banks, at the point at which they're cancelling cards simply can't say (at least not in a way that might expensively backfire involving lots of lawyers) because the standard of proof needed to go on record blaming someone is simply not yet met.

So: yes it's common that you aren't told anything for all of the above reasons. And of course if you really want to find out more you may have some success with your local data protection legislation and formally make a subject access request (or local equivalent) to see what that brings back. Be sure to do it in writing, to the official address of both mastercard and your bank.

Flexo
  • 178
  • 7
  • Thank you for the good listing of possible things that may have happened. The wording on the letter I received implied that there was indeed a specific online shop involved, but I guess that doesn't necessarily rule out a POS break. The multitude of different possible events, all concerning my PII, are exactly the reason why I am inquiring for transparency. Fore example if they told me that an unnamed upstream payment processing contractor that handles only my Name, Address, CC was compromised, would already be a huge improvement. – Tari May 31 '17 at 10:14
  • 1
    I don't think this is very relevant to the situation. The sort of letter OP received indicates that a merchant informed the network of a breach of information from their systems, not that a merchant informed the network of a specific incident of fraudulent activity at the merchant. – Joe May 31 '17 at 18:38
  • @Joe I don't imagine there are more than a few form letters used for situations like this. I doubt they have a sufficiently nuanced set of letters to cover all the various subtitles that might lead to a "we've cancelled your card" moment, they may even deliberately hide the fact that they saw your card in a dump somewhere. Furthermore there's no indication from the question to support your assertion that "a merchant informed the network of a breach". Without an exact copy of the letter we can't say. The Q just says "an online shop was compromised", nothing more which could mean many things. – Flexo May 31 '17 at 20:08
  • My point is I don't find this answer to contain information relevant to this question. It's more of a form answer to a generic question, than specific to this one. – Joe May 31 '17 at 21:17
  • @Joe, but my point is that the question itself isn't specific. It says the letter stated "an online shop was compromised" without saying how it was compromised or who noticed that. It didn't say "a merchant reported that their online shop was compromised" in which case I'd be inclined to agree. – Flexo May 31 '17 at 21:35
  • I disagree; I think that letter is quite specific (I've received nearly the identical letter myself). In any event my point is I don't see what your answer adds here; if the question in your mind isn't specific, then how does this really help in any event? – Joe May 31 '17 at 21:36
  • Specifically the question asks: Is it common to withhold this kind of information from affected customers? Are there any further ways to find out more about what happened? Your answer wanders around just guessing at things, and then suddenly says 'Yes it's common' without any logical tie to the rest of the answer. Compare to my answer - which specifically cites an investigative reporting piece into the exact topic - or to the OP's answer, which cites the specific legislation. – Joe May 31 '17 at 21:38
  • @Joe My point is that I think banks like to hide behind a very bland simple reason which in reality is a facade that hides a great many subtitles and stops them straying into libel/slander when it's not clear cut and they're just looking out for their own bottom lines. – Flexo May 31 '17 at 21:47
1

If you really want to know, sue them.

File a John Doe lawsuit, "plaintiff to be determined", and then subpoena the relevant information from Mastercard. John Doe doesn't countersue, so you're pretty safe doing this.

But it probably won't work. Mastercard would quash your subpoena. They will claim that you lack standing to sue anyone because you did not take a loss (which is a fair point).

This is total war. Amy's Waffles is not the enemy.

They are after the people doing the hacking, and the security gaps which make the hacking possible. And how those gaps arise among businesses just trying to do their best. It's a hard problem.

And I've done the abuse wars professionally. OpSec is a big deal. You simply cannot reveal your methods or even much of your findings, because that will expose too much of your detection method. The ugly fact is, the bad guys are not that far from winning, and catching them depends on them unwisely using the same known techniques over and over. When you get a truly novel technique, it costs a fortune in engineering time to unravel what they did and build defenses against it. If maybe 1% of attacks are this, it is manageable, but if it were 10%, you simply cannot staff an enforcement arm big enough - the trained staff don't exist to hire (unless you steal them from Visa, Amex, etc.)

So as much as you'd like to tell the public, believe me, I'd like to get some credit for what I've done -- they just can't say much or they educate the bad guys, and then have a much tougher problem later. Sorry! I know how frustrating it is!

How this might occur - not Amy's fault

The credit card companies hammered out PCI-DSS (Payment Card Industry Data Security Standards). This is a basic set of security rules and practices which should make hacking unlikely. Compliance is achievable (not easy), and if you do it, you're off the hook. That is one way Amy can be entirely not at fault.

Example deleted for length, but as a small business, you just can't be a PCI security expert. You rely on the commitments of others to do a good job, like your bank and merchant account salesman. There are so many ways this can go wrong that just aren't your fault.

As to the notion of saying "it affected Amy's customers but it was Doofus the contractor's fault", that doesn't work, the Internet lynch mob won't hear the details and will kill Amy's business. Then she's suing Mastercard for false light, a type of defamtion there the facts are true but are framed falsely. And defamation has much more serious consequences in Europe.

Anyway, even a business not at fault has to pay for a PCI-DSS audit. A business at fault has lots more problems, at the very least paying $50-90 per customer to replace their cards. The simple fact is 80% of businesses in this situation go bankrupt at this point.

That data breach may not be so bad

Usually fraudsters make automated attacks using scripts they got from others. Only a few dozen attacks (on sites) succeed, and then they use other scripts to intercept payment data, which is all they want. They are cookie cutter scripts, and aren't customized for each site, and can't go after whatever personal data is particular to that site. So in most cases all they get is payment data.

It's also likely that primary data, like a cloud drive, photo collection or medical records, are kept in completely separate systems with separate security, unlikely to hack both at once even if the hacker is willing to put lots and lots of engineering effort into it. Most hackers are script kiddies, able to run scripts others provided but unable to hack on their own.

So it's likely that "none was leaked" is the reason they didn't give notification of private information leakage.

Lastly, they can't get what you didn't upload. Site hacking is a well known phenomenon. A person who is concerned with privacy is cautious to not put things online that are too risky.

It's also possible that this is blind guesswork on the part of Visa/MC, and they haven't positively identified any particular merchant, but are replacing your cards out of an abundance of caution.

Harper - Reinstate Monica
  • 58,229
  • 10
  • 91
  • 195
  • Where do you get $50/customer? What does this have to do with informing a customer of a merchant of a breach? You seem to think the business should have the time go investigate/audit etc but after that why not inform customers of the problem after the investigation/audit is completed? – quid May 31 '17 at 21:26
  • You misunderstand what I am saying. That is not an opinion of what I think should happen. That comes from the PCI-DSS literature, which is aimed at merchants, and states the consequences if they are caught with a data breach, including the ~$50. You talk like it's an option for businesses to investigate, nope, it is forced down their throat. I am stating facts. The only thing I "seem to think" is that you couldn't possibly beat them up any worse than Mastercard already has. If anything you would feel sorry for them. – Harper - Reinstate Monica May 31 '17 at 21:42
  • 1
    I'm supposed to feel bad for a business that screwed up and let my credit card information get stolen? Yeah, I don't see that (nor do I see how this really answers the question). – Joe May 31 '17 at 21:43
  • @Joe you would if you knew, yes. They made a mistake. Should they go bankrupt professionally and personally? Do you own a business? Let me put it this way, I think Visa/MC are reluctant to "out" businesses which have had breaches, because they have already pummeled the business near to death, and since the citizens are fully indemnified, their only interest would be prurient: to crucify them for sport on social media, which would certainly finish off the business. Which would mean they never collect any additional money owed Visa/MC from the incident. Which means higher rates for you. – Harper - Reinstate Monica May 31 '17 at 21:47
  • I understand what you're saying and understand that there is a formal process for merchants. But after the issue is resolved or the company is in bankruptcy, what is stopping anyone from finally reporting to customers? Nothing in there prohibits the merchant from reporting to customers, and you feel the merchant should be given time to understand the issue, but then what once the issue is understood? – quid May 31 '17 at 22:27
  • Though, I wasn't aware of a strict $50/customer fee, do you have a source for that, or the 80% of businesses stat? Additionally, I think credit card numbers are about the most overhyped piece of "private" information because as you point out you're covered from fraud, but I think the person asking the questions isn't terribly concerned about CC numbers as they are about possible actual private information. Like if there was a data breach at a medical billing outfit and medical records could be in play. – quid May 31 '17 at 22:45
  • Visa/MC could dox them if they saw reason to (however this would have side-effects). And the business could self-report. But the ultimate question is does this do any good? Good point about medical, but Credit card processing and medical records are totally separate for that very reason, and medical records are subject to HIPAA, a vaguely similar set of rules to PCI. The $50 was in the first doc I tried: http://www.revention.com/whitepapers/dangers_pci_compliance.pdf so I'm confident it'll be repeated elsewhere. – Harper - Reinstate Monica Jun 01 '17 at 01:46
  • They should be totally separate for that reason and everyone should respect HIPAA handling. Fact of the matter though is that not all responsible entities do all the time, and there are no teeth to the anemic laws that do exist in the US. Data is not always properly handled, you don't need to be notified if/when entity A shares with entity B, you don't get to know that entity C bought parts of entity A and B's datasets and recombined them, you don't get to tell anyone no in a meaningful way, and you don't get to be notified when something ultimately goes sideways. – quid Jun 01 '17 at 02:07
  • From the doctors I've talked to, HIPAA is scary stuff. To them. But they go to medical conferences, not Blackhat. Again there's a practical limit of what is possible given who you're dealing with: regular old business people whose business isn't IT security and are working with J. Random Windows 7 PC. Worse, HIPAA is enforced by the government so you're back to the security staff a G10 wage will buy. – Harper - Reinstate Monica Jun 01 '17 at 02:56
  • 1
    I find your allegations of malicious intention towards innocent business owners alienating. At no point do you recognize my interests for transparency. Your example is off, given that I have been told it was an online shop. But even in your case: Explaining that Doofus is at fault, has been dealt with, and Amy followed all good practices is easily possible without even using tech lingo and establishes the kind of transparency I call for. – Tari Jun 01 '17 at 11:34
  • @Tari i'm sorry to put you on the defensive, but look at your OP. You say flat out people should know! Well, you don't enumerate anyone but yourself, but tell only you? You get security vetted and sign an NDA? You don't mean that! What you want only works if you nonconsensually out the business. Mastercard has decided that's a bad idea. I agree and I told you why. That's the reality of fighting people like this. It hurts not to be able to tell people, But I touched on a few of the dozen reasons that would make things much worse. – Harper - Reinstate Monica Jun 01 '17 at 13:21
  • Also I'm sorry you feel like I didn't "recognize your interests in transparency". In my job I've dealt 1-1 with hundreds of people with that same frustration. It's very hard to tell them no. But I must impress on you just how fragile the craft is, and we can lose. You want to think of fraud prevention as being an infallible monolith! No, it's asymmetrical warfare. You depend on 99% of attacks being the same old stuff. The 1% of new, inventive attacks are extremely costly to investigate. And if the bad guys get smarter, you cannot upstaff and train fast enough, bad guys win. – Harper - Reinstate Monica Jun 01 '17 at 14:46
  • @Harper, I think you're missing the intent of the question. And just to point out again, it has nothing to do with credit card data, or what standards are supposed to be in place to protect credit card data. It's clear you have some involvement in this industry, but you need to take a step back and re-read the question and comments. Nobody is questioning whether or not security is hard do accomplish. Or impenetrable. – quid Jun 01 '17 at 15:17
  • @quid OP has two sentences ending with a question mark. How can I find out who? - I am the only person who gave a serious answer to that. Is it common to withhold? - Yes and I went at length to explain several of a dozen reasons why, and I'll grant you I embellished a bit. Forgive me if I was too literal. What question would you like answered? Would you like to see the discussion taken in a different direction? (keeping in mind that Q/A is the format here, it's not a discussion forum generally.) – Harper - Reinstate Monica Jun 01 '17 at 15:37
  • Who's at fault when someone sets up WiFi really has nothing to do with whether or not there is a law in Germany compelling business to report data breaches to consumers. But good luck to you! – quid Jun 01 '17 at 16:43
  • -1 This post has a thread of interesting information, but it's very bloated, and very biased. Just the facts, please! – jpaugh Jun 01 '17 at 18:32
  • 1
    Substantial edit. i'm trying! @jpaugh – Harper - Reinstate Monica Jun 01 '17 at 19:20
  • I didn't ask the question. @Tari did. – quid Jun 01 '17 at 19:34
  • @quid whoops I see what you mean. I am getting whiplash here, I don't even know what question I'm supposed to be answering. I edited extensively in response to you and jpaugh. SMH sometimes dealing with the money.se feels like banging my head against a wall. – Harper - Reinstate Monica Jun 01 '17 at 19:38
  • 1
    These comments are really in need of a cleanup for volume, but I've left them for now as they're directly about improving the answer, but I'd like to come back and prune them later. My own view is that this answer does head rather off-topic and it might be better to cut it down to the first paragraph plus a brief summary that omits the technical lingo. – GS - Apologise to Monica Jun 01 '17 at 23:13
  • 1
    "What question would you like answered?" How can transparency be improved with no or little benefit for the bad guys? With the specific goal of allowing me to evaluate 1) what further steps could be done to minimize damages and 2) how seriously the involved parties take the protection of my PPI. Remarks: A) I am not buying a general telling anything helps bad guys. I suppose bad guys will at least figure out easily what batches of CC were frozen. B) suggesting data avoidance in this context is ridiculous. C) Damages from publishing a leak are a consequence of the leak, not the publish. – Tari Jun 02 '17 at 08:16