http://securityratty.com/tag/swb Sat, 26 Apr 2008 20:22:24 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/ce68ee3873573126adbe70597b391085 http://securityratty.com/article/ce68ee3873573126adbe70597b391085 Security Breach

Date Reported:
4/16/08

Organization:
Swimwear Boutique ("SWB")

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, email address, SWB account password, and credit card information

Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account.  We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.  The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.

Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone.  I assume that the number nation/worldwide would be much higher.

We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.

These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?



We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.

We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez.  I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.

SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.

We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses.  In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.

We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.

Notification letters will be sent out on April 23, 2008.

Affected customers also can contact us for more information at 1-866-SWIMWEAR.

In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General.  I did NOT see any reference to this in the letter that went to affected customers.  Huh.

We are committed to helping our customers affected by these criminal acts.

We deeply regret that a valued customer like you may have been affected by the criminals.

Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security.  Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe?  No, it certainly doesn't.  Understand these for what they are, a baseline level of security that only meets a certain number of requirements.  There is a heckuva lot more to information security.  Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.

A tip for online consumers:
Check out PayPal's Virtual Debit Card.  "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number."  A one time credit card number.  If your card number is compromised, it only affects the one transaction.  Fraudsters are unable to rack up additional charges. Cool.

Past Breaches:
None

]]> Sat, 26 Apr 2008 20:22:24 +0000 credit card account credit card time credit card information personal information information security credit card information customers swb customers Online intruder makes off with SwimwearBoutique.com customer data