Wednesday | March 25, 2009
Safeguarding Customer Information
On February 24, 2009 Toronto police laid charges against four individuals in connection with a 9-month investigation of credit card fraud affecting dozens of Toronto retail and service businesses, including Elmwood Spa. The incident was part of a sophisticated credit card fraud perpetrated in the spring of 2008.
As the police had mentioned in their press conference, the fraudsters captured the information by skimming credit card information from a pin pad that had been compromised via a carefully inserted microchip. The fraudsters were described by the police as being a group of “sophisticated, organized criminals”.
For the peace of mind of our guests, it is important to note that the four individuals who were known to the police do not have any previous history with Elmwood Spa. They were not regulars or long-time clients of the spa, nor were they part of the construction crew that renovated the spa in 2006/07, nor were they employees.
Elmwood Spa was notified about this incident by the credit card company on June 6, 2008 and we have had no further notifications of any irregularities since that time. Based on the police report, the credit cards of 216 Elmwood Spa customers were affected.
When this incident was brought to Elmwood Spa’s attention, we were advised by the credit card company that our job was to notify the police, which we did immediately, and that the credit card company would contact their customers, as we at Elmwood Spa had no way of knowing who those 216 people were. The credit card company also advised us that they would manage the investigation and ensure all fraudulent charges were rectified for their customers.
If as a guest of the spa you had been affected by this incident, the credit card company would have contacted you at that time, advised you that your card had been compromised and issued you a new credit card. They would not have shared any other information with you. We were told by the credit card investigator that the cards in question were used for material theft and not identity theft.
Elmwood Spa worked closely with police and the credit card company to assist with their investigation. When Elmwood Spa learned about the incident we also engaged the services of a private firm to recommend and implement additional security measures. Their recommendations have been implemented since spring of 2008.
Elmwood Spa takes its customers’ security very seriously and we have taken every precaution to safeguard customer data and protect their privacy. This was the first incident of its kind in our 30-year history and we deeply regret the theft of customers’ information and are committed to ensuring it never happens again.
A Globe & Mail article (Feb 25, 2009) provided incorrect information regarding this incident. The article stated that “the spa has a circular table just inside its doors with a half-a-dozen self-serve computer terminals, each with a place to swipe a credit card and an electronic pad to scrawl out a signature…”
As our guests know, this electronic tablet simply gathers health information and gives consent for treatment. There is no “swipe” for credit card at that area. In fact, reservations information, heath information and the company’s marketing information (e-mail addresses) are all on separate systems and could not be comprised in this way.
An article by Danny Bradbury, Canwest News Service March 11, 2009 more fairly outlines the vast challenges that credit card providers and merchants are facing, and what consumers need to be aware of whenever and wherever they use their credit cards.
For our part, Elmwood Spa was pleased to learn that none of our customers lost money as a result of this fraud and we are confident this matter has been resolved. If you have specific questions or concerns we encourage you to contact your financial institution directly.
Thank you for your support and continued patronage.
Executive Manager, Spa Services