As the retailer in question was Woolworths, the ICO may only be able to take limited action, but even so the case highlights the staff issues when it comes to protecting customer data.
At the start of the week, the Daily Mail reported that payment card receipts from Woolworths store had been found dumped round the back of a store in the run-up to its closure.
The wad of receipts contained the full 16-digit numbers from customers’ cards, even though best practice is to star out most of the number to help prevent card cloning.
It is understood that the receipts had been passed to the Information Commissioners Office, which has promised to investigate. The Daily Mail article also suggested that Woolworths’ administrator Deloitte could be forced to write all customers involved, to warn them that their credit and debit card data could have been compromised.
This is a prime example of how not to handle credit and debit card information, and shows that customer data security is not just a matter of systems, but just as importantly processes.
While it is not ideal that Woolies was printing receipts with full card numbers, this becomes much more of an issue when staff don’t handle their portion of the receipt correctly.
Perhaps you can’t blame Woolies staff; they were days away from loosing their jobs when this breach was discovered. But the retailer’s management had a duty to protect its customers right to the end, and it failed.
Several banks have also been caught out with these kind of process breakdowns, when sensitive customer data has been recovered from their branches’ bins. But this does not make it any more palatable for a retailer to be caught out, even one that no longer operates stores.
At a time when staff may be feeling demoralised and demotivated, it is even more crucial to make sure that they don’t cut corners when it comes to taking care of customers. No retailer can afford to be sending letters to customers warning that it may have exposed them to a fraud risk.