Foothills Park and Recreation District is taking its lumps in the South Jeffco community after the data theft of more than 12,200 credit card numbers and addresses.
The theft occurred in the last week of September, and the district announced the security breach Oct. 1. It e-mailed notifications to more than 10,800 of the customers whose information was stolen and sent letters to the rest. But for some, the letter wasn't enough.
"We have people who are very concerned and rightfully so about their information," said Ronald Hopp, Foothills executive director. "Luckily, we're not gathering Social Security numbers, and the information stolen was somewhat limited. Thank goodness we're not collecting Social Security numbers for any reason, and we never will."
The hacker that stole the data made away with the credit card numbers, addresses and first and last names of 12,228 people. The database from which the information was stolen from did not have the three-digit security codes from the back of the credit cards, nor any other information that would help in stealing someone's identity or draining their bank accounts.
The district hired a security consultant to analyze the scope of the theft and to make recommendations on how to prevent similar thefts in the future. Online registration has also been suspended until the security situation is worked out.
But that's not enough for some district residents.
Paul Warbington, one of the people whose data was stolen, took issue with the way people were notified, the lag time between when the theft was noticed and when people were notified, and the retention of credit card data for as long as two years.
"The flippant nature of this letter and the lack of taking responsibility for the cause and costs associated with this incident are outrageous," Warbington said in a draft of a letter to Hopp and the Foothills board of directors. He said that computer systems dealing with credit card information should be protected with the best security systems available.
"We obviously focused on getting the information out as quickly as possible," Hopp said. "To say it's inconvenient, that's an understatement. I understand everybody's position. I happen to be one of the patrons whose information was breached as well. I'm directing all of the changes that are necessary as not only the executive director of Foothills but also as a patron."
He said the lag time between when the breach was discovered and notification of customers whose data had been stolen was necessary to notify the district's attorney, the insurance companies and the Jefferson County Sheriff's Office.
"It took an outside consultant to analyze and determine exactly the number of people and who was impacted," Hopp said. He added that he has received some criticism for informing customers of the breach via e-mail, but that it was "a conscious decision in an effort to expedite the process as quickly as possible."
Hopp also addressed Warbington’s criticism over the district holding on to credit card information for as long as two years after a transaction.
"It was historical practice to retain that information in the event of needing to provide a refund or a credit to those accounts if need be," Hopp said. "I would agree (with Warbington that the data shouldn't have been retained for that long). That practice is going to and will be eliminated and will not happen any longer."