Credit-card data leak in online buys

Triangle shoppers defrauded

As online shopping reaches its annual crescendo of activity, here's another reminder to be mindful of the information you hand out.

A Greensboro company, Innisbrook, has notified thousands of parents across the country that their credit card information may have been compromised. Some parents in the Triangle have found fraudulent charges on their accounts.

Innisbrook works with thousands of schools nationwide and sells things like school supplies and wrapping paper to raise money for the schools.

The security breach happened in August, when many customers were placing orders for bundles of back-to-school supplies.

Twenty-four schools in North Carolina were affected, and only information from customers who placed orders online and paid with a credit card was at risk.

Customer service manager Debi Stacy declined to provide a list of the affected schools but said that there were seven in Wake County and one in Durham County.

Stacy stressed that the breach occurred on the company's school supplies site, which is separate from the company's main Web site and operates on different servers.

Federal authorities have been notified of the incident, and the company sent a letter to all customers who had placed a school supplies order online at the end of October, Stacy said.

"We don't know how much information was accessed, but at that time, we decided that we needed to inform everyone," she said. "We were just blown away. It's been a horrible experience."

Some parents knew there was a problem even without the official notification from Innisbrook.

Andrew Snee, whose 7-year-old son goes to Conn Elementary School in Raleigh, said his credit card company called him when suspicious purchases were made.

"There were three charges -- two of them were like music downloads," he said, adding that the credit card company told him criminals will generally do that to test the card to see if it works. "The biggest one was someone had registered $346 worth of domain names at register.com," Snee said.

Snee said he and his wife had to cancel their card and get a new one, but in all, it was a minor inconvenience. "It was a bit of a heart-in-the-throat moment," he said.

Since the incident, Innisbrook has replaced the affected servers, installed better security software and stopped storing people's credit card information entirely, Stacy said. Previously, parents could place an order early in the summer and the company would keep the information on record until the order was actually filled in the fall.

"The card will be billed immediately from now on," Stacy said.

Innisbrook is a privately held company that employs 140 people.

Andrew Snee has learned his lesson. The next time his son brings home a fundraising catalog, he said, "I might just ask if I can give some money to the school."