http://securityratty.com/tag/mlsgear Thu, 07 Feb 2008 21:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/5193b99d7531d1457fbe8530678288f7 http://securityratty.com/article/5193b99d7531d1457fbe8530678288f7 Security Breach

Date Reported:
2/1/08

Organization:
Major League Soccer, L.L.C.

Contractor/Consultant/Branch:
MLSgear.com
Unnamed hosting provider

Victims:
MLSgear.com customers

Number Affected:
Unknown*

*MLSgear.com informed the New Hampshire Attorney General that there are 169 affected persons in her state

Types of Data:
Names, addresses, credit and debit card information, and MLSGear.com passwords

Breach Description:
An unauthorized third-party attempted to obtain access to, and may have accessed personal information belonging to MLSgear.com customers through the use of SQL injection attacks carried out on the MLSgear.com web site between January and August, 2007.

Reference URL:
The New Hampshire State Attorney General breach notification
Computerworld online story
PogoWasRight.org report

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

It has recently come to our attention that an unauthorized third party has attempted to obtain access to, and may have accessed the personal information of customers of the MLSGear.com website

Based upon the forensic audit we commissioned upon the request of Visa and MasterCard, our current understanding of this situation is that these third parties used SQL Injection attacks between January and August 2007, and may have obtained names, addresses, credit and debit card information, and MLSGear.com passwords, that had been stored on computer servers operated by a third party service provider.
[Evan] SQL Injection attacks have been around ever since there was SQL (a long time!).  SecuriTeam has a pretty good explanation of how it works, or a pretty good demo on YouTube.

We have a zero tolerance policy when it comes to protection of our customers' personal information and consequently, we are terminating our relationship with that e-commerce provider.
[Evan] I don't know who MLSgear.com was hosted with before, but they appear to be hosted by GSI Commerce at the time I am writing this.  GSI Commerce also hosts Liz Claiborne, Dicks Sporting Goods, Polo, Major League Baseball, Radioshack, NASCAR, among others.

We have also taken immediate steps to further strengthen our already stringent security measures to safeguard the privacy of customer personal and credit information, including purging all passwords

We are notifying on approximately February 1, 2008, all customers whose information was potentially affected by the above-described activity.

we have arranged for and are offering to all affected customers one year of credit monitoring services and, if necessary credit restoration with Kroll Background America, Inc., free to the customer
[Evan] Affected customers are not signed-up automatically, they will need to follow the instructions received in their letter.

We have also contacted federal law enforcement and are currently working with the Federal Bureau of Investigation. Further, we are working with VISA, Mastercard and Chase Paymentech our credit card payment processor on this issue

Please be assured that MLSGear.com remains committed to ensuring the safety and security of our customers' sensitive personal information. We appreciate your support and sincerely apologize for this incident.

Commentary:
There were 169 affected individuals in New Hampshire alone.  I imagine that the total number globally could be much larger.  Victims aren't as much at risk of identity theft as they are of credit card fraud.  If an affected customer knows which card they used for purchases on MLSgear.com, they should cancel the card and get a new one (with a new number).

SQL injection attacks should have been detected through the quarterly online security scans that are required as part of VISA compliance.

Past Breaches:
Unknown

]]> Mon, 11 Feb 2008 06:27:06 +0000 information sensitive personal information personal information mlsgear sql debit card information report credit credit credit card fraud SQL injection compromises MLSgear.com customer information http://securityratty.com/article/b15fe65698d15e4351bc43028f25533a http://securityratty.com/article/b15fe65698d15e4351bc43028f25533a

]]> Thu, 07 Feb 2008 21:00:00 +0000 major league soccer sql injection attacks third-party service provider personal data web site mlsgear individuals series servers Soccer league's online shoppers get hit by security breach