Why My Love of Led Zeppelin Put Me At Risk Of Identity Theft.

About a year and a half ago, I attended a concert at Boston’s Berklee College of Music in which a faculty band played Led Zeppelin’s 1973 album Houses of the Holy in its entirety. Advance tickets cost $8, half off the door price; I ordered four ahead of time. Led by guitarist Joe Musella, who teaches a course on Jimmy Page, the group did a great job.

The concert remained a pleasant memory until recently when I received a letter from Berklee. “We are writing to inform you of an incident that may have involved your personal information,” the university’s chief financial officer said. He went on to explain that the college’s ticketing vendor Vendini detected an unauthorized intrusion into its system in April. The company did not notify the public until July “to support law enforcement’s investigation.”

The hacker may have obtained “personal information, such as name, mailing address, email address, phone number, and credit card numbers and expiration dates that belong to our members’ consumer-patrons,” Vendini explained in a blog posting.

Unfortunately, such attacks in which hackers penetrate flaws in a company’s security are increasingly common. Sometime after the Led Zeppelin concert, I ordered six mechanical pencils and replacement lead and erasers fromShoplet.com. Early this year the online vendor which sells office supplies and other goods sent out a letter saying a hacker accessed their system and may have gotten names, addresses and credit card information of clients. Shoplet said it was installing a hardware firewall and moving their database “to a more secure zone.”

My first experience as a data breach victim occurred some years ago when the City of New York Department of Finance informed me that an employee had disclosed my Social Security number. In fact, many of us have been impacted by such breaches. In the last two months or so, data breaches have occurred at hospitals, medical clinics,Fidelity Investments , US Airways, Fairfax County Public Schools in Virginia, NYC Bike Share, andApple AAPL -1.07%, according to a list of breachesmaintained by Privacy Rights Clearinghouse. By their tally, more than 600 million records have been breached in nearly 4,000 incidents since 2005.

In another incident at the start of the summer,Facebook FB +3.28% announced that a bug in their site allowed the private email and phone numbers of six million users to be shared. In late August, the Federal Trade Commission filed a complaint against Atlanta area LabMD after discovering that the medical testing lab had exposed data on about 10,000 consumers. Such breaches also happen worldwide. Some years ago Israeli officials acknowledged hacking into the Israeli Population Register with personal details on more than nine million people; the hacker posted the information on the Internet.

It’s hard to say what a company’s or agency’s responsibility should be in the case of data theft. On one hand, they are a victim of crime, and have suffered reputational damage. On the other hand, flaws in their own security allowed the breach to occur. Vendini charges a small service fee for selling tickets. Perhaps they should refund the impacted customers in a gesture of goodwill. Shoplet offered a limited time offer of 10 percent off on the next order. If I repeated the amount of my first order, I would have saved $4.55 as a result of the stolen data.

We are writing to inform you of an incident...

I reached out to the CEOs of both companies for their responses to what had happened. Vendini did not respond, but Tony Ellison of Shoplet shared an interesting perspective on the breach. “We were subject to same internationally originated hack attack that has brought down many other large and small etailers, alike,” he said. “In the past 19 years of doing business online we have foiled successfully at least over 10,000 small and large attempts. Doing business online has become more expensive and riskier.”

“For a small business to go through this process, it was both horrible, heart wrenching and (a) learning experience. We have since upgraded our systems and our security procedures to minimize such attack in the future. While we have gone above and beyond this time and overspend on security, we will remain vigilant and make sure that we do not fall prey again and become a victim of such an attack.”

I would be interested to hear from readers who have suffered from such data breaches. Did anything negative happen afterwards, and what did the company do as compensation? What do you think would be proper compensation which such breaches take place.