AW Direct Web Site Compromise Leads to Disclosure of Credit Card Data
Technorati Tag: Security Breach
Date Reported:
9/12/07
Organization:
AW Direct, Inc.
Contractor/Consultant:
None
Victims:
AW Direct customers
Number Affected:
Unknown
Types of Data:
First and last name, address, and credit card information
Breach Description:
An un-named (unknown) entity "may have" accessed portions of the AW Direct website, including access to customer order information.
Reference URL:
http://doj.nh.gov/consumer/pdf/AW_Direct.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification and letter to victims (above):
"AW Direct, Inc. is a direct marketing company that sells general towing and work truck equipment and accessories to business in the auto service, utilities, government, and constuction markets."
"We recently became aware that there may have been unauthorized access to portions of the AW Direct website that included customer orders."
[Comfyllama] May have? Either someone did, or they didn't. Simple logging and forensics should lead to more of a definitive answer.
"In response to this situation, AW Direct has taken steps to enhance its website security and the ability to monitor and detect unauthorized access attempts."
[Comfyllama] If I were a customer, I would want more detail than this. This statement means nothing to me personally. You could patch the web server, configure logging, then say this and you wouldn't be lying, but you also wouldn't be ensuring the security of sensitive information.
AW Direct is reimbursing affected customers for a one year subscription to CreditInsure by Experian and has provided a phone number for questions; 1-.
Commentary:
Based soley on what I have read from the company, I would not feel very safe about AW Direct's treatment of personal data. Ecommerce shops should be held to a higher standard with respect to online security. AW Direct processes credit cards, and as such is subject to VISA DSS. Even in low volume shops (Merchant Level 4) third-party, quarterly security scans from an accredited vendor are required. Were these scans not done? If they were, then why wasn't a vulnerability discovered and mitigated? Of course this is all assuming that this was an outside attack on the web site, which I am.
This is also another example of a company that is storing credit card information. No company should store credit card information unless it is absolutely critical for the conduct of business. Optimally, credit card information is only kept long enough to validate and process the transaction.
Past Breaches:
None
Date Reported:
9/12/07Organization:
AW Direct, Inc.
Contractor/Consultant:
None
Victims:
AW Direct customers
Number Affected:
Unknown
Types of Data:
First and last name, address, and credit card information
Breach Description:
An un-named (unknown) entity "may have" accessed portions of the AW Direct website, including access to customer order information.
Reference URL:
http://doj.nh.gov/consumer/pdf/AW_Direct.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official breach notification and letter to victims (above):
"AW Direct, Inc. is a direct marketing company that sells general towing and work truck equipment and accessories to business in the auto service, utilities, government, and constuction markets."
"We recently became aware that there may have been unauthorized access to portions of the AW Direct website that included customer orders."
[Comfyllama] May have? Either someone did, or they didn't. Simple logging and forensics should lead to more of a definitive answer.
"In response to this situation, AW Direct has taken steps to enhance its website security and the ability to monitor and detect unauthorized access attempts."
[Comfyllama] If I were a customer, I would want more detail than this. This statement means nothing to me personally. You could patch the web server, configure logging, then say this and you wouldn't be lying, but you also wouldn't be ensuring the security of sensitive information.
AW Direct is reimbursing affected customers for a one year subscription to CreditInsure by Experian and has provided a phone number for questions; 1-.
Commentary:
Based soley on what I have read from the company, I would not feel very safe about AW Direct's treatment of personal data. Ecommerce shops should be held to a higher standard with respect to online security. AW Direct processes credit cards, and as such is subject to VISA DSS. Even in low volume shops (Merchant Level 4) third-party, quarterly security scans from an accredited vendor are required. Were these scans not done? If they were, then why wasn't a vulnerability discovered and mitigated? Of course this is all assuming that this was an outside attack on the web site, which I am.
This is also another example of a company that is storing credit card information. No company should store credit card information unless it is absolutely critical for the conduct of business. Optimally, credit card information is only kept long enough to validate and process the transaction.
Past Breaches:
None
Posts Atom 1.0
Comments