My Egghead Dilemma

On January 8, 2001, I received a disturbing e-mail from top honcho Jeff Sheahan at Egghead Software (egghead.com). In brief, Sheahan admitted that the large e-commerce site had been compromised by hackers during the Christmas season. Here is one snippet from the e-moessage:

“I realize that taking this precautionary measure of informing you and the credit card companies of the breach resulted in the cancellation of credit cards, and even embarrassment, for some of you, and we sincerely apologize for any trouble this may have caused.”

While Sheahan’s message attempted to put the best possible spin on a disturbing incident, it caused me to stand back and re-evaluate my relationship with the company.

As part of the shakeout of the DOT COMs during the spring of ‘00 came an implosion in the number of e-commerce Web sites. With fewer places to purchase computer related accessories, finding rock bottom pricing becomes more challenging. Using the MySimon Web site as a screening mechanism for finding low prices, Egghead frequently appeared as a candidate e-commerce location for near-bottom pricing and good service. For example, as reported in a 10/20/00 article, “Problems at Amazon,” I saved $20 on a laser printer cartridge. Frankly, the easy to use site, with 3.6 million credit cards in its database, provides stiff competition for Amazon.

How Does It Happen?

Security of credit card transactions remains high on the list of concerns preventing skittish Websurfers from making greater use of the Web. Large, tiffany e-commerce Web sites, benefiting from cooperation within the industry, make an all-out effort to prevent credit card theft. In fact, keeping the information out of harm’s way by keeping the credit card numbers database off-line (unavailable for downloading) has proven to be extremely effective in preventing theft from hackers. Cases of outside network penetration that resulted in stolen credit card information can invariably be traced to careless or lax security procedures. This was the case at Egghead. Credit card information was kept online. Stupid.

In an article written by MSNBC.com, it was reported that Egghead, as of late December, had not implemented a series of minimum computer security standards issued by Visa International. Essentially, Mr Sheahan’s memo contains the hollow statement: “Our first priority has been to protect our customers.” Frankly, future purchases of products from Egghead give me pause. Since the 1/8/01 memo from Mr Sheahan, there has been no follow-up correspondence, no update on the FBI investigation, no statement on how the theft occurred, and no list of changes in procedures to prevent a reoccurrence. No nothing. Disturbing!

Frankly, one would expect this level of ineptitude from small, under financed e-commerce sites – not one the size of Egghead. Essentially, this incident sends a chill through the Internet community at a time when sales revenue (and profit) are needed more than ever before. Although there have been no reported incidents of the credit cards from the Egghead database amassing large fraudulent charges, Egghead customers, like myself, have not been reassured that these incidents have not occurred and been covered up.

Protection Available?

Many people find comfort in the knowledge that there is a liability ceiling of $50 maximum on fraudulent credit card transactions. Keep in mind, however, when reporting fraud, the hidden costs of contacting the credit card companies and the ensuing hassle of straightening out the mess. The credit card companies continue to flood mailboxes with fresh offers of new credit card accounts. It might be prudent to have one credit card only in use for online purchases. When credit card statements arrive, it becomes easy to distinguish suspicious transactions. A low credit limit on the “Internet card” might provide additional safety.

The Dilemma

E-commerce continues to thrive on the Internet in spite of missteps by Egghead.com, CreditCards.com, and others. The open question is should I cancel my Egghead account and have my credit card information purged from their database? Call me crazy but I have not cancelled. Well, not yet. Instead, I sent Mr Sheahan an e-mail note requesting an update on new security measures implemented as a result of the investigation. I will keep you posted.

URLs (Uniform Resource Locators) of interest:

http://www.msnbc.com/news/513197.asp

http://www.zdnet.com/eweek/stories/general/0,11011,2671628,00.html

(This is the 243rd of a series of elementary articles designed for surfing the Internet. Next, “Junkyard Wars” is the subject on tap. Stay Tuned. Until next week, happy travels through cyberspace. Previous issues of Internet Info for Real People can be found: http://www.thebee.com. Please e-mail comments and suggestions: rbrand@JUNO.com or editor@thebee.com.)