When I received a letter from BRS explaining they were hacked, and PII (Personally Identifiable Information) was stolen, I like everyone else, was upset at the news.
I wrote a long email to BRS support outlining my concerns, posing some questions, and generally giving my professional opinion of the situation. (I work in the IT industry, and frequently deploy and maintain e-commerce solutions.) My letter was not an enraged flame, but it was in no way laudatory, and I believe I fairly delineated the consequences to businesses and consumers from such an incident, my view of a business' responsibility after such an event, and equally importantly responsibility before such and event, and some suggestions for their way forward. (I shared the message with my wife, and she gave me one of those looks and said "I would not like to receive an angry letter from you." I wasn't being angry, but I get her point.)
A few hours later, I received a call from Ryan, and we had a long conversation about the situation. I respect his initiative in addressing the damage head-on and in a personal, as well as professional and expert, manner. I believed before, and I believe now, this is a small company with integrity as a core tenet. I can't reveal all I was able to glean from the conversation, but will say that they have well and truly made every practical effort to rectify the situation in the best manner available. (Know that doing so is an extremely expensive and painful proposition for them, and as a small company with whom I like doing business, I hope their balance sheet can survive the hit. As much as we as customers may have lost potentially and in fact, BRS has lost far more.)
I empathize with everyone involved in this: myself, other customers, and BRS too. I do not sympathize, however. This sort of attack, while prevalent (anyone a Target customer?), is not unpreventable. I still maintain the best time to close the barn door, is before the horses escape. To mix metaphors, that's water under the bridge now. In talking with Ryan, I am convinced they have learned this very painful lesson. Right now, I have no doubt that one of the safest places to do business on-line is the BRS web site.
"Maybe they will make a youtube video about it....."
I complained that the time it took to communicate the issue was too long. Ryan, I could tell, was as frustrated as we all on this. I agree with him there is no perfect way to communicate, and in balance they did as good as can really be expected. The above quote was written by another poster, in humor, but Ryan shared that was literally his first impulse and wanted to do so immediately. The IT experts they brought in shot the idea down in no uncertain terms, and were right to do so. Immediately after the discovery, there were not enough facts in evidence to craft a coherent message, let alone an effective action plan for the business or consumers. Until they knew the nature and reach of the intrusion and theft, what was the message to be? "We were hacked. Data was stolen." Painful, but better to wait and have a clear message, targeted at the affected parties rather than a vague, ominous broadside aimed at everyone. (If I, for one, want the latter, I'll watch Fox news.)
Nobody will disagree this was an unfortunate situation. Bad things happen to good people. Everyone victimized here, including BRS, are good people IMHO.
I will continue doing business with BRS. Their business model and delivered value is still attractive to me. I will, as will we all, come away sadder but wiser knowing more than we care to about the dark side of doing business on-line. The suggestion to use PayPal as a payment processor backed by a credit card as the payment instrument is a good one. Secure payment processing is not BRS' core competence, it is PayPal's raison e'etre, and we all should be taking advantage of that as a prudent approach to e-commerce.