Fortnum’s risks data security row

Fortnum & Mason has been slammed for risking the security of customers’ personal details after asking them to email their card details in order to get a refund – including the three-digit security code – after a blunder hit hamper orders in the run-up to Christmas.
It has been reported that one customer, who has still not received his delivery despite placing an order in November last year, contacted the store to request a refund.
The company claimed it does not keep any payment details “for data protection reasons” and asks all customers requiring a refund to give their payment details over the telephone.
But, in email correspondence it insisted that it would not be able to do a refund unless the customer sent their credit card details in an email.
“I will require your card details to arrange a refund (type of card, name of the card, long number, expiry date, security number [CVV code]). The system Fortnum & Mason have in place does not process direct crediting automatically due to encryption measures,” a customer relations advisor wrote, adding “we will instantly destroy your details as soon as you are refunded.”
One security expert blasted: “To talk about destroying the details on the other end would demonstrate an understanding of security that I would term weak, because the data would reside in my outbox and quite possibly in my archived mail, with some likelihood of being transmitted from sender to recipient in cleartext (without encryption) at some point.
“The CVV/verification code on the back of the card is meant to be a huge secret, so if they’re requesting that, then email is a really bad idea for transmission.”
Earlier this month the store was forced to admit that it had still not delivered all the hampers customers ordered for Christmas. One DecisionMarketing reader ordered two hampers in October and neither was delivered in time.

Related stories
Fortnum’s hit by hamper blunder