Art.com, Inc. is hacked but credit card data was encrypted
Technorati Tag: Security Breach
Date Reported:
10/27/07
Organization:
Art.com, Inc.
Contractor/Consultant/Branch:
None
Victims:
Customers who made online purchases from July through September, 2007.
Number Affected:
Unknown
Types of Data:
"Names and encrypted credit card numbers"
Breach Description:
On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information.
Reference URL:
Marketwatch.com Story
AllHeadlineNews.com Story
Report Credit:
Art.com, Inc.
Response:
From the online articles cited above:
"Art.com Inc. said that recently a hacker illegally gained access to some of its customers' names and encrypted credit-card numbers for some transactions made on its Websites from July through September."
[Comfyllama] Art.com, Inc. websites include Allposters.com, art.com, poster.de (German), and artistrising.com.
"To date, the company is unaware of any unauthorized use of those credit-card numbers or any attempted identity theft related to the intrusion,"
[Comfyllama] If Art.com, Inc. has managed their encryption securely, then I wouldn't expect any fraud.
"The hackers broke through multilayered security systems, Art.com said, adding that it has taken additional steps to prevent further intrusions."
"The site said it does not store information like Social Security or driver's license numbers, so no such data were accessed."
[Comfyllama] Good! Can you imagine going to a web site to purchase goods and getting asked for your Social Security number?
Commentary:
See how small this blog posting is, compared to some of the others at The Breach Blog? There really isn't all that much to report about on this breach. The credit card data was encrypted and I assume that Art.com knows how to manage encryption keys (key management lifecycle). Kudos to Art.com, Inc. for encrypting confidential information at rest.
It appears as though Art.com has a good grip on what it takes to secure data. It is important to point out that even with the "multilayered security systems" employed by Art.com it still took encryption to secure the information. Art.com's approach to security is built upon a very well-known concept, defense-in-depth.
Past Breaches:
Unknown
Date Reported:10/27/07
Organization:
Art.com, Inc.
Contractor/Consultant/Branch:
None
Victims:
Customers who made online purchases from July through September, 2007.
Number Affected:
Unknown
Types of Data:
"Names and encrypted credit card numbers"
Breach Description:
On October 27th, Art.com, Inc. issued a statement to customers alerting them to the fact that a criminal Internet "hacker" illegally accessed a system or systems containing names and encrypted credit card information.
Reference URL:
Marketwatch.com Story
AllHeadlineNews.com Story
Report Credit:
Art.com, Inc.
Response:
From the online articles cited above:
"Art.com Inc. said that recently a hacker illegally gained access to some of its customers' names and encrypted credit-card numbers for some transactions made on its Websites from July through September."
[Comfyllama] Art.com, Inc. websites include Allposters.com, art.com, poster.de (German), and artistrising.com.
"To date, the company is unaware of any unauthorized use of those credit-card numbers or any attempted identity theft related to the intrusion,"
[Comfyllama] If Art.com, Inc. has managed their encryption securely, then I wouldn't expect any fraud.
"The hackers broke through multilayered security systems, Art.com said, adding that it has taken additional steps to prevent further intrusions."
"The site said it does not store information like Social Security or driver's license numbers, so no such data were accessed."
[Comfyllama] Good! Can you imagine going to a web site to purchase goods and getting asked for your Social Security number?
Commentary:
See how small this blog posting is, compared to some of the others at The Breach Blog? There really isn't all that much to report about on this breach. The credit card data was encrypted and I assume that Art.com knows how to manage encryption keys (key management lifecycle). Kudos to Art.com, Inc. for encrypting confidential information at rest.
It appears as though Art.com has a good grip on what it takes to secure data. It is important to point out that even with the "multilayered security systems" employed by Art.com it still took encryption to secure the information. Art.com's approach to security is built upon a very well-known concept, defense-in-depth.
Past Breaches:
Unknown
Posts Atom 1.0
On December 2, 2007, I discovered my full birthday was now available online by simply googling it along with my proper name. That date is traceable back to Art.com. I did not give them valid information to start with and I maintain a list of what information I reveal where. The date they were given was unique to them.
Attempts to notify Art.com have proven fruitless. They apparently use outsourced customer service. There's no way to get through to anyone there who might need to know this information.
It seems not everything that was revealed was encrypted.
Reply to this
Encryption can be decrypted,the real problem is that financial data was held there at the first place. The only solution to data breaches is not to hold data at all. Even the National Retail Federation released a call on October 2007 to Credit Card companies to stop forcing retailers to store credit card data at their systems.
Reply to this