Technorati Tag: Security Breach
Date Reported:
6/10/08
Organization:
Cotton Traders Ltd.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"thought to be up to 38,000"*
*Cotton Traders claims this figure is "widely inaccurate" but isn't supplying the correct figure
Types of Data:
"addresses and credit card details"
Breach Description:
"Clothing firm Cotton Traders has confirmed that customers’ addresses and credit card details were stolen during a hack on its website in January."
Reference URL:
BBC News
Information Age
CNET Networks (Silicon.com)
The Register
Report Credit:
BBC News and an informed reader of The Breach Blog
Response:
From the online sources cited above:
The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website
It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.
[Evan] Why is Cotton Traders not disclosing the number of persons affected by the breach? I think they do more damage to their reputation by not appearing open and honest about the breach. I can't think of any significant risk in sharing this information.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January
"Those involved were notified at the time and card replaced,"
[Evan] Really? In what manner were the people involved notified? Typically, when people are notified, they talk and/or share their experiences. BBC News reports about this breach ~5 months after the incident, so I wonder if people really were notified "at the time".
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud
customer addresses were also stolen in the hack
a specialist police force was investigating the case
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website
[Evan] Hmmm. How and where was the data encrypted? Due to the lack of disclosed details, we are left to speculate. I can tell you from my past experiences that encryption is typically used for data in transit (from the front-end web server to the client) and sometimes where data is at rest (stored in the database). It is not uncommon for data to flow unencrypted between the back-end (database) and front-end (web server). Let's assume that this was a well architected ecommerce platform (from an information security standpoint), and that data is encrypted between the front and back end components. The information still exists for a some amount of time on the front-end server in a non-encrypted state. If the front-end web server were compromised, it is completely conceivable that the information confidentiality was compromised. I am not even going to speculate where and how encryption keys could be managed, but obviously this is another critical component of the architecture.
Cotton Traders, a specialist clothing outfit founded by ex-England rugby stars Fran Cotton and Steve Smith, said the potential to misuse the data is low because the credit card information was encrypted.
[Evan] See my comments above. More information is required before a claim like the "potential to misuse the data is low" can be verified.
Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
[Evan] Who are the "industry security experts"?
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
"We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
The exact method used to hack the Cotton Traders website is not known.
Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".
[Evan] How do you make a claim like this and not share?! If other major retailers "would be vulnerable to the same attack", then shouldn't they and the information security industry be notified ASAP? Maybe they/we have, but I don't think so. The fact that the bad guys share information so much better than us good guys has been an "industry vulnerability" that has existed for many years. This seems like another example of the communication barrier that still exists between "industry experts".
The firm has said customers worried about their cards should contact their card provider.
Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.
[Evan] Unfortunately, we need laws to force organizations to do the right things that they should have been doing all along. If organizations were managed well globally, would we need laws like breach notification statutes, SOX, HIPAA. etc.? The chances of organizations being well managed globally is a pipe dream.
Commentary:
I don't know what irks me more about breaches like this, the breach itself or the poor response.
Past Breaches:
Unknown
Date Reported: 6/10/08
Organization:
Cotton Traders Ltd.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"thought to be up to 38,000"*
*Cotton Traders claims this figure is "widely inaccurate" but isn't supplying the correct figure
Types of Data:
"addresses and credit card details"
Breach Description:
"Clothing firm Cotton Traders has confirmed that customers’ addresses and credit card details were stolen during a hack on its website in January."
Reference URL:
BBC News
Information Age
CNET Networks (Silicon.com)
The Register
Report Credit:
BBC News and an informed reader of The Breach Blog
Response:
From the online sources cited above:
The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website
It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.
[Evan] Why is Cotton Traders not disclosing the number of persons affected by the breach? I think they do more damage to their reputation by not appearing open and honest about the breach. I can't think of any significant risk in sharing this information.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January
"Those involved were notified at the time and card replaced,"
[Evan] Really? In what manner were the people involved notified? Typically, when people are notified, they talk and/or share their experiences. BBC News reports about this breach ~5 months after the incident, so I wonder if people really were notified "at the time".
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud
customer addresses were also stolen in the hack
a specialist police force was investigating the case
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website
[Evan] Hmmm. How and where was the data encrypted? Due to the lack of disclosed details, we are left to speculate. I can tell you from my past experiences that encryption is typically used for data in transit (from the front-end web server to the client) and sometimes where data is at rest (stored in the database). It is not uncommon for data to flow unencrypted between the back-end (database) and front-end (web server). Let's assume that this was a well architected ecommerce platform (from an information security standpoint), and that data is encrypted between the front and back end components. The information still exists for a some amount of time on the front-end server in a non-encrypted state. If the front-end web server were compromised, it is completely conceivable that the information confidentiality was compromised. I am not even going to speculate where and how encryption keys could be managed, but obviously this is another critical component of the architecture.
Cotton Traders, a specialist clothing outfit founded by ex-England rugby stars Fran Cotton and Steve Smith, said the potential to misuse the data is low because the credit card information was encrypted.
[Evan] See my comments above. More information is required before a claim like the "potential to misuse the data is low" can be verified.
Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
[Evan] Who are the "industry security experts"?
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
"We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
The exact method used to hack the Cotton Traders website is not known.
Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".
[Evan] How do you make a claim like this and not share?! If other major retailers "would be vulnerable to the same attack", then shouldn't they and the information security industry be notified ASAP? Maybe they/we have, but I don't think so. The fact that the bad guys share information so much better than us good guys has been an "industry vulnerability" that has existed for many years. This seems like another example of the communication barrier that still exists between "industry experts".
The firm has said customers worried about their cards should contact their card provider.
Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.
[Evan] Unfortunately, we need laws to force organizations to do the right things that they should have been doing all along. If organizations were managed well globally, would we need laws like breach notification statutes, SOX, HIPAA. etc.? The chances of organizations being well managed globally is a pipe dream.
Commentary:
I don't know what irks me more about breaches like this, the breach itself or the poor response.
Past Breaches:
Unknown
