INDIANAPOLIS— A Fishers man says his personal information was photocopied at a local furniture store and inadvertently ended up in the hands of another customer.
David Pendleton is raising concerns about this data breach and contacted WRTV Investigates for help.
David needed a piece of furniture for his family room, and on September 19, visited the Ashley HomeStore in the Castleton area.
When David went to pay with his Ashley Advantage credit card, he says the salesperson made a request.
"He asked to make a copy of my driver's license and credit card, which at the time felt completely unnecessary and felt odd,” David said. “He said we need this to send in and keep with our paperwork."
Even though David wasn’t applying for anything, just making a purchase, he reluctantly handed over his credit card and driver’s license for photocopying.
Days later, he got a Facebook message from a stranger named Ryan Lundquist.
"The first thing I saw was this picture of my photo ID and credit card,” David said.
Ryan explained in the Facebook message he had inadvertently received David’s personal information, including a copy of his driver’s license and credit card, while visiting Ashley HomeStore.
"I was like oh my goodness, you have got to be kidding me and what do I do this?” David said. “Is Ryan someone can be trusted?"
Ryan Lundquist is an Army veteran and father, and destroyed the document after he messaged David.
Ryan said the personal information was mixed in with other documentation he received from the furniture store.
"I was shocked this could happen with such sensitive information,” Ryan said. “I put myself in David's position. It was such an egregious breach in David's financial security."
David says he had a hard time getting an explanation of how this happened.
“So, I reached out to RTV6,” David said.
WRTV Investigates took our questions to the head of consumer protection with the Indiana Attorney General’s Office, Scott Barnhart.
Barnhart said what happened to David Pendleton would be considered a “serious data breach.”
While Indiana businesses can collect credit card information, they’re supposed to store it separately from other personal identifiers like your name and address.
"If they collect it they have to keep it safe and they have obligations under Indiana law to do that,” Barnhart said. “If information gets out there, they also have obligations to notify the consumer and the Attorney General's office so we can follow up with consumers."
The Indiana Attorney General’s Office does investigations on data breaches regularly.
“We have a team, the data privacy team, that does nothing but looking at whether the law is followed and if it’s not there are remedies that are done,” Barnhart said.
Criminals can use bits of information to steal your identity and open up bank accounts, credit cards and other accounts in your name, and even sell the information on the dark web.
The Payment Card Industry (PCI) Security Standards Council standards say merchants should not store sensitive authentication data, such as a cardholder’s card identification number, CVV, PIN or a card’s magnetic stripe data.
In David’s case, a treasure trove of personal information was on that piece of paper including his name, address, driver’s license number, date of birth, and credit card number.
"The more information you have collected, the higher the risk to the consumer, the higher the risk of a data breach,” Barnhart said.
WRTV Investigates reached out to the Ashley HomeStore Castleton location as well as Ashley Furniture’s corporate office and received an email from Lisa Fanaro, VP Business Strategy, who said she represents the operator of the Castleton location.
“With respect to all customer transactions, we respect the privacy of our customers, and we adhere to applicable law,” Fanaro said in an email to WRTV. “In this case, certain customer information was inadvertently mixed with another transaction. We have addressed this issue with the customer.”
Fanaro said the company strives to strictly maintain the privacy of customer data.
WRTV responded to Fanaro asking why a customer’s driver’s license and credit card were photocopied on the same page in the first place, and whether the practice will continue.
“This was an isolated incident and was addressed,” Fanaro said in an email to WRTV. “As indicated, we consistently adhere to best practices to protect customer data. We have no further comment.”
David Pendleton learned the store had another copy of his personal information, in addition to the one Ryan intercepted.
"I've asked Ashley to destroy it and they put it in writing that they did that," David said.
A customer service representative told David in an email, “We humbly regret the situation that occurred during your visit to the Castleton Ashley HomeStore on September 19, 2020, and the circumstances that followed. The safety of our guest and the security of their information is of the utmost importance to us. Per your request, I am confirming that we have destroyed your driver’s license information.”
David Pendleton plans to file a complaint with the Indiana Attorney General’s office so they can investigate what happened.
David and Ryan hope their story prompts changes at Ashley HomeStore and raises awareness about data security.
David is relieved it was Ryan, not someone else, who ended up with his personal information.
“Who knows what bad people will do with that kind of information, they could have kept the information or perhaps sold it,” David said.
"I believe what goes around comes around,” Ryan said.
TIPS TO PROTECT YOURSELF FROM IDENTITY THEFT
- · Check your credit card and bank statements regularly for unusual activity.
- · Sign up for a free credit freeze
- · Ask questions if a business asks to photocopy your information including why they need it, how it will be retained, what their retention policies are, etc.
- · File an identity theft complaint here
- Ask your bank about its privacy policies and information practices. Find out the circumstances under which your bank would provide your account information to a third party.
- Order a copy of your credit report from the three credit reporting agencies at least once every year to review your file for possible fraud.
- Keep personal information in a safe place. If you employ outside help or are having service work done in your home, keep your personal information out of sight.
- Give your Social Security number only when absolutely necessary. Ask to use another type of identifying number whenever possible.
(Source: Attorney General and BBB)