Voxant Hack + Poor Key Management = 4,500 Credit Card Records Exposed
Technorati Tag: Security Breach
Date Reported:
9/12/07
Organization:
Voxant
Contractor/Consultant:
None
Victims:
Voxant customers
Number Affected:
4,500
Types of Data:
"personal credit card information"
Breach Description:
A hacker compromised Voxant's ecommerce store and "may have" accessed online ordering information belonging to their customers.
Reference URL:
http://doj.nh.gov/consumer/pdf/Voxant.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification and letter to victims (above):
"The Voxant online ecommerce store server was hacked on or about June 20, 2007 using what appeared to be a typical phishing scheme."
[Comfyllama] Interesting. Phishing scheme?
"We immediately took the affected server offline, removed the offending phishing pages, stengthened security, and put the server back online on June 22."
[Comfyllama] I am still not clear how their server was breached via a phishing scheme. It sounds more like this server was rooted.
"We continued to repair other applications and investigate, and through our investigations, on July 24 we learned that encrypted credit card numbers could have been access in our ecommerce system during the original incident."
[Comfyllama] Excellent! A security best practice in play by encrypting sensitive data at rest.
"Although the credit card numbers were encrypted, we found that the encryption key was not well protected in our application database."
[Comfyllama] Crap! Scratch my last comment. Good encryption management MUST include secure key lifecycle management. Disclosure of the key (many times a password or passphrase) negates the security provided by the encryption algorithm.
"We no longer store credit card numbers in any fashion"
[Comfyllama] BINGO! If you don't have the data, you don't have to secure it.
To contact Voxant regarding this breach, victims may contact them at 1-.
Commentary:
If you have followed along in many of the other breaches we have covered you may have noticed a common theme; "encrypt confidential data". In the case of this breach the data was encrypted, so what's the problem? The problem is that the encryption was implemented poorly, i.e. poor encryption key management. This is not unlike leaving your keys in the front door of your locked house.
The best news in this report is that Voxant will no longer store credit card information in any manner. This is a great response and a fantastic practice in general. Often, there is no need to keep credit card information for any longer than it takes to get an authorization back from the processor.
Past Breaches:
None
Date Reported:
9/12/07Organization:
Voxant
Contractor/Consultant:
None
Victims:
Voxant customers
Number Affected:
4,500
Types of Data:
"personal credit card information"
Breach Description:
A hacker compromised Voxant's ecommerce store and "may have" accessed online ordering information belonging to their customers.
Reference URL:
http://doj.nh.gov/consumer/pdf/Voxant.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification and letter to victims (above):
"The Voxant online ecommerce store server was hacked on or about June 20, 2007 using what appeared to be a typical phishing scheme."
[Comfyllama] Interesting. Phishing scheme?
"We immediately took the affected server offline, removed the offending phishing pages, stengthened security, and put the server back online on June 22."
[Comfyllama] I am still not clear how their server was breached via a phishing scheme. It sounds more like this server was rooted.
"We continued to repair other applications and investigate, and through our investigations, on July 24 we learned that encrypted credit card numbers could have been access in our ecommerce system during the original incident."
[Comfyllama] Excellent! A security best practice in play by encrypting sensitive data at rest.
"Although the credit card numbers were encrypted, we found that the encryption key was not well protected in our application database."
[Comfyllama] Crap! Scratch my last comment. Good encryption management MUST include secure key lifecycle management. Disclosure of the key (many times a password or passphrase) negates the security provided by the encryption algorithm.
"We no longer store credit card numbers in any fashion"
[Comfyllama] BINGO! If you don't have the data, you don't have to secure it.
To contact Voxant regarding this breach, victims may contact them at 1-.
Commentary:
If you have followed along in many of the other breaches we have covered you may have noticed a common theme; "encrypt confidential data". In the case of this breach the data was encrypted, so what's the problem? The problem is that the encryption was implemented poorly, i.e. poor encryption key management. This is not unlike leaving your keys in the front door of your locked house.
The best news in this report is that Voxant will no longer store credit card information in any manner. This is a great response and a fantastic practice in general. Often, there is no need to keep credit card information for any longer than it takes to get an authorization back from the processor.
Past Breaches:
None
Posts Atom 1.0
Comments