Wednesday, November 6, 2013

An Open Letter

I recently received a letter (a real live USPS-delivers-it letter) from Ouidad, a company that makes shampoos, informing me that my credit card data had been hacked.  I respended by sending the following the Customer Service:


Please remove me from your database immediately.

I just received, by mail, your security alert, which is dated October 24.  Today is November 4.

In between those dates, you have sent me no less than FIVE promotional emails, but never bothered to email me that my account (including credit card information) had been compromised.  Did you think I would not want to know this immediately?

I want to be clear here -- I am not angry because you got hacked.  It happens.  I assume you had relatively decent security and that was an accident.  I am angry because you didn't let me know immediately.  No email.  No banner ad across your website.  Just a piece of snail mail.  And here I note that you indicate that upon learning of the incident you "engaged leading security experts" and worked some deal with Equifax for a deal on credit monitoring.  That's all well and good, but the VERY FIRST THING you should have done was inform your customers.

This is phenomenally irresponsible.  Remove me from your database.  I want you to have ABSOLUTELY NO RECORD of my personal information in your system.  You are an incredibly irresponsible company and I intend to never purchase anything from you ever again.  Your apology is worthless and I cannot begin to stress how annoyed I am at the lack of immediate notice to your customers.

Too harsh?