Sunday, August 23, 2009

BJ's apples to apples

It was pointed out to me that the comparison I did on BJ's rewards and Fidelity's rewards was not apples to apples. BJ's is a membership upgrade and Fidelity's is a credit card.

If the writer is correct, you can upgrade to a BJ's rewards membership and pay with Fidelity's AmEx card - effectively doubling down on savings.

The earlier reason for BJ's hitting the Company Acting Badly list holds - don't market me at $35 feature that will save me $24.21 a year. And... if you want real savings, apply for a Fidelity card or a similar one from another company.

Friday, August 21, 2009

BJ's fine print

As I received another email from BJ's asking me to spend $35 a year to save $24.21 (click here for earlier post), I thought it would be worth checking out the fine print and conditions on BJ's rewards membership and comparing it to a Fidelity Rewards AmEx card I'm considering getting.

BJ's has a fee. Fidelity doesn't.
BJ's has a cap. Fidelity doesn't.
BJ's rewards expire. Fidelity's don't.

I've put a quick comparison chart together.

BJ's remains a Company Acting Badly for marketing me a rewards card that will lose me money each year and is not competitive across a range of features.

Sunday, August 16, 2009

Chase SSN Loss Pattern?

A quick Google search of Patricia O. (O My God I've Lost Customer's Social Security Numbers) Baker came up with a similar situation to my recent SSN loss.

Click here to read the notice at Datalossdb.

Seems Chase notified the state of New York in late 2006 that a tape with customer's SSN could not be found at a vendor's off-site facility. Want to bet it's the same vendor as my loss? Want to bet that Chase didn't change any policy from 2006 to 2009?

Of interest in the 2006 notification, Chase offered $10,000 in identity theft protection to each victim. Unfortunately for the 34,266 New York residents affected, the footnote to the letter to the NY state attorney general says that the theft protection is not available to NY residents.

Saturday, August 8, 2009

Chase'ing My SSN Away

When comparing Citi and JPMorganChase (Chase bank), it's not hard to see how Chase is doing better. Citi's in the hole for $45 billion of taxpayer money and Chase returned the TARP funds it never wanted in the first place. Citi's got a revolving management team and board while Jamie Dimon has led Chase for five years. Their stock tells the story as Chase (JPM) is up 17% over roughly five years since Dimon joined and Citi is down 91%. Click here for an interactive chart.

Unfortunately, my belief in Chase's attention to detail and looking out for its customers was smacked by this letter I received yesterday. In short, Chase backs up its customer information on a tape and uses a vendor to store that tape. Chase's vendor can't find the tape that includes my name, address and social security number (SSN).

Click on pages to view the letter.

While Chase might be correct that the tape can "be read only with special equipment and software", let's not kid ourselves that this is rocket science. The larger question is why Chase's data wasn't encrypted so that even if it was able to be read (which it can be) that the data would be useless without the key to un-encrypt the data.

It's not even six weeks since I was Schwab'd by Chuck who's team also lost my SSN and personal information. Like Schwab, Chase is offering to monitor my identity with an Experian product. That's standard. Their offering to monitor it with their own branded product (Chase Identity Protection) that they hope I will like and will pay for in the future. That's Priceless. Leave it to Chase to turn an internal control and process f-up into a marketing and revenue opportunity.

Chase's letter is signed by Patricia O. Baker. That's 'O' as in O' My God, I just lost customer Social Security Numbers.

Perhaps now's the time to short Chase's stock as they've once again made the Companies Acting Badly list, this time by losing my Social Security Number and ID information. Or perhaps it's time for Chase to get a new CIO who can enforce protocols with a data storage vendor. Or perhaps it's time for Chase to get a new data storage vendor. Who's in charge of this at Chase?

JPMorganChase joins Charles Schwab, IBM, Intuit and BNY Mellon as Companies Acting Badly for managing to lose my social security number and other personal information.

Sunday, August 2, 2009

Math at BJ's

It's not often I get an email from a company telling me about a promotion that will cost me more than I can save from their promotion.

BJ's is a Company Acting Badly for either:
  • thinking its customers can't do basic math, or
  • thinking it can trick its customers into signing up for a rewards card that will lose them money, or
  • not having someone in their marketing department who understands how to set up an email campaign

Why should someone spend $35 per year (likely charged in advance) to get rebates on purchases (likely seen monthly) that will amount to $24.21?

Good shopping, decent selection, good prices, but poor marketing puts BJ's on the Companies Acting Badly list.

Saturday, July 18, 2009

Lanced by Elance

Last night Elance (a site I've used to hire website designers and builders) let me know that it had a recent data breach that compromised my contact info including:
  • Name
  • Business email
  • Business Telephone
  • City
  • and my Elance user ID
Click the image to enlarge.

In short, Elance is trying to act like the eBay for posting and selling programming jobs. Can you imagine if this email came out from eBay?

Elance is a Company Acting Badly for not hiring one of its own reviewed professionals to evaluate and secure its own site. A simple search on their site, like the one here, shows almost 2,500 different professionals with website security backgrounds, some with 100% positive rankings on over $500,000 of work. One of these folks couldn't have been hired by Elance? Isn't it ironic that Elance could have used it's own service? That's like folks at eBay not looking on their own listings for products that eBay could use at its own headquarters.

Elance posted a security alert here that gives more detail on what occurred. They've confirmed that the information the Elance didn't secure has shown up on other websites and that Elance users have received spam. Well that's great. Now my business email is going to get spam due to Elance's muck up?

Unfortunately, Elance like others who've not secured my personal information, does not:
  • say when the theft happened
  • confirm that someone at Elance will be held responsible for not safeguarding my info
Additionally, Elance focuses on resetting passwords and giving tips on picking passwords (like not to use the same one across sites). If Elance's passwords were encrypted, then this should not be an issue so why are they focused on it? Why would they whack everyone's password and force re-registration here?

Scrawlbug had also been nailed by Elance and posted a good suggestion here that all of us who were affected should set up Google Alerts to watch for our Elance ID.

Elance joins the ranks of Companies Acting Badly for losing my work information and not having hired one of their own profiled security experts to test, find and fix any architecture holes.

Friday, July 10, 2009

Data Schwab'd Update

Thanks to the folks at I now know more about what happened (per my Chuck I've Been Schwab'd post) as databreaches posted a notice that Charles Schwab sent to the NH attorney general.

In short:
  • The theft occurred in early May - therefore it took Chuck some six weeks to notify me that I'd been Schwab'd
  • The employee who violated policy was terminated - that saves a severance payment
  • A suspect was arrested - gotta love the police
  • The drive with my data was not recovered - did they check Craigslist?
Charles Schwab remains a Company Acting Badly for taking some six weeks to notify customers that their personal information was stolen and for not providing impacted customers with the same level of detail on the theft as they provide to an attorney general.