Credit card processing vendor CardSystems Solutions is facing increasing scrutiny of its practices as consumers and lawmakers begin to demand an answer to how 40 million credit card transaction records were stolen from the company’s data banks.

As details about the breach begin to be made public, it’s clear that — once again — the problem is rooted in deep, systemic problems. In a story credited to the New York Times, CardSystems Solutions’ CEO John M. Perry said the data was being kept in a separate file for “research purposes” in violation of company policy. But the deeper problem was a security breach on the company’s computer network that allowed a hacker to install a “logging” program that gathered data and transmitted it to the hacker.

Unfortunately, the circumstances that led to the theft of 40 million credit card records from CardSystems is hardly a unique occurrence. Just ask Eli Lilly.

In late 2001, my old consulting firm, ePrivacy Group, was hired by the Federal Trade Commission (FTC) to help them investigate how nearly 700 email addresses wound up on the “To:” line of an email from the company’s “Medi-messenger” emailed reminder service at The FTC investigated whether the company’s Privacy Policy had been breached by exposing recipients’ email addresses, and if so what caused the breach.

Our investigation revealed, as the FTC has publicly stated, that:

On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers’ e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27th e-mail message included all of the recipients’ e-mail addresses within the “To:” line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.

As our investigation turned up, Lilly had extensive and well-documented procedures for developing and testing of such computer programs before being put into production — procedures which were apparently ignored. In its settlement with the FTC in early 2002, Lilly agreed to implement a more vigorous security monitoring and compliance program, to properly train staff on adhering to the tenets of that program, conduct annual audits of its systems, and to be subject to FTC review for a period of 20 years!

Over the last few years, the FTC has continued to investigate privacy and security breaches. In cases like last week’s B.J.’s Wholesale, Tower Records,, and Microsoft’s Passport, the company’s privacy and security practices were compared to their privacy promises and found lacking.

In most of these cases, it’s clear that the companies thought they were being up-standing and responsible companies. Yet as the investigations turned up, their vague platitudes about privacy and security protection didn’t stand up to scrutiny. For example, Tower Records’ claim of using “state-of-the-art technology to safeguard your personal information” didn’t square with the fact that the company’s network administrators hadn’t applied available security patches for known vulnerabilities on its web servers.

As the CardSystems debacle plays out, I think what we’ll learn is that CardSystems’ screw-ups aren’t at all new or unique. Rather, they are part of an ongoing and systemic problem across corporate America, and are a direct result of the lackadaisical attitude of many companies towards the protection of consumer data in their care.

Until stronger laws give harmed-parties real tools for holding companies accountable for such breaches, there will be little incentive for companies to take privacy and security more seriously.