HBR Case Study: Stolen Customer Data

by Erin McCune on September 4, 2007

in Security

My favorite feature of the Harvard Business Review is the case study: fictional scenarios that represent common managerial challenges followed by concrete solutions from experts. This month the situation is directly relevant to payments and transaction security. It involves a regional chain of electronic stores that discovers its customer transaction data may have been compromised.


“What kind of data breach?” Brett asked. His tone was calm, as
always, yet he scanned the
[airport] lounge to make sure that no one could

“I’m still not sure,” Laurie admitted. “I was contacted by Union
Century Bank. They regularly examine their fraudulent accounts for
patterns, and we’ve shown up as a common point of purchase for an
above-average number of bad cards. They’re getting me more information,
but I thought you’d want to know right away. It could be nothing—or it
could be significant.”

Brett recalled the newspaper stories he had read about stolen
laptops with veterans’ records stored on them and about hackers trying
to penetrate eBay and other big online retailers. His firm was just a
regional chain with 32 stores in six states and a modest online
presence. Flayton’s could hardly be a target for stealing lots of
customer data. Or could it?

“Laurie, I’m not sure I understand. People were using stolen credit
cards at our stores? Our clerks weren’t checking cards correctly?”

“No,” she replied earnestly. “It looks like we might be the leak.”

As you read the case, ponder what you would do if you were CEO Brett. Should you contact customers immediately? Defer to law enforcement? Fire your CIO? Be sure to read the compelling and diverse suggestions offered by the following four experts:

James E. Lee, senior vice president and chief public and consumer affairs officer at ChoicePoint, based in Alpharetta, Georgia.

Bill Boni, corporate information security officer for Motorola in Schaumburg, Illinois. He is also a vice president and board member of the Information Systems Audit and Control Association, a global organization based in Rolling Meadows, Illinois

John Philip Coghlan, former president and CEO of Visa USA, headquartered in San Francisco.

Jay Foley, executive director of the Identity Theft Resource Center in San Diego.

HBR Case Study
Boss, I Think Someone Stole Our Customer Data
Harvard Business Review
September 2007
Reprint R0709A

One Response to “HBR Case Study: Stolen Customer Data”

  1. Online Payment Gateways

    As a Visa PCI certified payment gateway, AssureBuy offers the reliability and se

Leave a Reply

Previous post:

Next post:

Clicky Web Analytics