Walmart's (NYSE:WMT) streaming video service, Vudu, said on Tuesday (April 10) that it was hit with a data breach that exposed personal data for some of its customers. The theft came after burglars physically broke into a Vudu office in Santa Clara, Calif., and stole hard drives that apparently contained data backups.
"On March 24, 2013, there was a break in at the Vudu office and a number of items were stolen, including hard drives. These hard drives contained customer data including names, email addresses, mailing addresses, account activity, dates of birth, and encrypted passwords, but no full credit card numbers," the company said in a statement on its website. The company added that the drives only contained the last four digits of payment card numbers, and that it has reset all customer passwords.
Vudu didn't say why it had hard drives containing customer data in its business offices, but commenters at Silicon Valley investment blog TechCrunch speculated that the drives contained periodic backups of operational data. Regular full backups would normally be stored at a secure offsite facility, but copies of the data might have been intended for analytics use.
Yes, it's good that Vudu doesn't store full payment card numbers—the last thing Walmart needs is for even a subsidiary to be slapped with fines from Visa and MasterCard for losing those. But too many retailers are too cavalier with customer data that's not covered by PCI. Drives containing customer information are routinely stolen from cars, offices, homes, hotel rooms, restaurants, restrooms and airport security lines. Big, highly portable collections of customer data are really easy to create. They're even easier to steal—mainly because they spend most of their time in areas with low levels of physical security.
But there's no PCI for that data, despite the fact that it's a treasure trove for identity thieves. No, they can't use a customer's likely-to-be-canceled credit card number. However, with just enough data, identity thieves can order up their own credit cards.
Keeping a tighter rein on that kind of data isn't even that difficult—personally identifiable data can be scrubbed out and replaced by one-time customer ID numbers if retail employees want to take data out of the data center (or copy it to the cloud) for analysis. But as long as retailers don't take a hard line on protecting all customer data, both in and outside the computer room, this kind of physical theft will keep happening.