Technorati Tag: Security Breach
Date Reported:
4/16/08
Organization:
Swimwear Boutique ("SWB")
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, email address, SWB account password, and credit card information
Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.
Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.
We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.
These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?
We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.
We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.
SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.
We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.
We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.
Notification letters will be sent out on April 23, 2008.
Affected customers also can contact us for more information at 1-866-SWIMWEAR.
In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.
We are committed to helping our customers affected by these criminal acts.
We deeply regret that a valued customer like you may have been affected by the criminals.
Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.
A tip for online consumers:
Check out PayPal's Virtual Debit Card. "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.
Past Breaches:
None
Date Reported: 4/16/08
Organization:
Swimwear Boutique ("SWB")
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, email address, SWB account password, and credit card information
Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.
Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.
We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.
These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?
We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.
We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.
SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.
We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.
We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.
Notification letters will be sent out on April 23, 2008.
Affected customers also can contact us for more information at 1-866-SWIMWEAR.
In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.
We are committed to helping our customers affected by these criminal acts.
We deeply regret that a valued customer like you may have been affected by the criminals.
Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.
A tip for online consumers:
Check out PayPal's Virtual Debit Card. "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.
Past Breaches:
None
