KimsCrafts e-commerce breach affects 4,500
Technorati Tag: Security Breach
Date Reported:
12/14/07 (reported to New Hampshire Attorney General on 11/3)
Organization:
eMotive, Inc. d/b/a KimsCrafts
Contractor/Consultant/Branch:
None
Victims:
KimsCrafts.com customers
Number Affected:
approximately 4,500
Types of Data:
Names, addresses, and credit card numbers
Breach Description:
On November 3rd, 2007 lawyers working on the behalf of KimsCrafts notified the New Hampshire State Attorney of a potential breach of the security on the KimsCrafts e-commerce site. The breach affects approximately 4,500 KimsCrafts customers.
Reference URL:
The New Hampshire State Attorney General breach notification
Forum of Incident Response and Security Teams (FiRST) report
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire Attorney General breach notification and letter sent to affected individuals:
I am writing on behalf of my client, eMotive, Inc. d/b/a KimsCrafts, a small Maine craft manufacturing company located in Topsham, Maine.
The purpose of this letter is to inform you that KinsCrafts will be notifying approximately 4,500 customers (approximately 217 in New Hampshire) about a security concern with its e-commerce website recently reported to it.
This potential breach of security would have allowed access to consumer information from August 13, 2007 to October 1, 2007 that was limited to names, addresses and credit card numbers.
[Evan] This breach included orders placed since June 25, 2001. This consists of more than six years of confidential financial data available through a previously undetected vulnerability.
KimsCrafts has reported the incident to its local law enforcement agency and has verified through a data security firm that the problem has been contained.
We worked with Visa and Mastercard in assessing the data at risk, and Visa and Mastercard immediately notified your issuing bank so that protective measures could be taken.
As stated, the security concern was immediately contained, and KimsCrafts subsequently took all necessary steps to protect you.
While fraudulent use of you credit or debit card is possible, without data such as social security numbers of other personally identifiable information, it should not be possible to establish credit or alter your credit file.
KimsCrafts is very concerned with the privacy and security of its customers.
In addition to reviewing and adopting best practices as they relate to cardholder's information and complying with the security standards put forth by the credit card association, KimsCrafts will also launch a new e-commerce in the future, with security as the chief concern.
If fraudlent charges appear on your credit card, you should also file a police report with your local law enforcement agency. You should request a copy of the report. as many creditors use it to absolve you of the fraudulent debts. Additionally, you may contact the Federal Trade Commission (FTC) at 877-ID-THEFT (4338-4338)
We value your business and your privacy, and we genuinely apologize for any inconvenience and concern this has caused.
Please contact us with any further questions at:
x21
Commentary:
I don't know how large KimsCrafts is in terms of how much business they do or how many customer records they retain, but I assume that they are a "Level 4 merchant" according to VISA. As a Level 4 merchant, KimsCrafts is required to complete an annual PCI Self-Assessment Questionnaire and quarterly network scans (by an "Approved Scanning Vendor"). I wonder if KimsCrafts was complying prior to this breach report. If they were, then this leads to questions about why the Approved Scanning Vendor did not detect the vulnerability(ies).
I don't think KimsCrafts is all too much unlike many companies of similar size. These companies see the potential money to be made through the internet (e-commerce), but do not necessarily employ the security required of such endeavors. Do these companies not get the necessary consultations? Do they rely on unqualified people to secure their operations, i.e. outsourced IT staff? Do they just not think of security until something happens? Do they not have the necessary resources (money and/or personnel)? Maybe it’s a combination of factors, but I wonder which are prevalent.
Additional tips (for what they are worth), in regards to transaction data and e-commerce site security:
These are the tips off the top of my head. I am sure you can think of more, but this'll get ya started!
Past Breaches:
Unknown
Date Reported:12/14/07 (reported to New Hampshire Attorney General on 11/3)
Organization:
eMotive, Inc. d/b/a KimsCrafts
Contractor/Consultant/Branch:
None
Victims:
KimsCrafts.com customers
Number Affected:
approximately 4,500
Types of Data:
Names, addresses, and credit card numbers
Breach Description:
On November 3rd, 2007 lawyers working on the behalf of KimsCrafts notified the New Hampshire State Attorney of a potential breach of the security on the KimsCrafts e-commerce site. The breach affects approximately 4,500 KimsCrafts customers.
Reference URL:
The New Hampshire State Attorney General breach notification
Forum of Incident Response and Security Teams (FiRST) report
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire Attorney General breach notification and letter sent to affected individuals:
I am writing on behalf of my client, eMotive, Inc. d/b/a KimsCrafts, a small Maine craft manufacturing company located in Topsham, Maine.
The purpose of this letter is to inform you that KinsCrafts will be notifying approximately 4,500 customers (approximately 217 in New Hampshire) about a security concern with its e-commerce website recently reported to it.
This potential breach of security would have allowed access to consumer information from August 13, 2007 to October 1, 2007 that was limited to names, addresses and credit card numbers.
[Evan] This breach included orders placed since June 25, 2001. This consists of more than six years of confidential financial data available through a previously undetected vulnerability.
KimsCrafts has reported the incident to its local law enforcement agency and has verified through a data security firm that the problem has been contained.
We worked with Visa and Mastercard in assessing the data at risk, and Visa and Mastercard immediately notified your issuing bank so that protective measures could be taken.
As stated, the security concern was immediately contained, and KimsCrafts subsequently took all necessary steps to protect you.
While fraudulent use of you credit or debit card is possible, without data such as social security numbers of other personally identifiable information, it should not be possible to establish credit or alter your credit file.
KimsCrafts is very concerned with the privacy and security of its customers.
In addition to reviewing and adopting best practices as they relate to cardholder's information and complying with the security standards put forth by the credit card association, KimsCrafts will also launch a new e-commerce in the future, with security as the chief concern.
If fraudlent charges appear on your credit card, you should also file a police report with your local law enforcement agency. You should request a copy of the report. as many creditors use it to absolve you of the fraudulent debts. Additionally, you may contact the Federal Trade Commission (FTC) at 877-ID-THEFT (4338-4338)
We value your business and your privacy, and we genuinely apologize for any inconvenience and concern this has caused.
Please contact us with any further questions at:
x21
Commentary:
I don't know how large KimsCrafts is in terms of how much business they do or how many customer records they retain, but I assume that they are a "Level 4 merchant" according to VISA. As a Level 4 merchant, KimsCrafts is required to complete an annual PCI Self-Assessment Questionnaire and quarterly network scans (by an "Approved Scanning Vendor"). I wonder if KimsCrafts was complying prior to this breach report. If they were, then this leads to questions about why the Approved Scanning Vendor did not detect the vulnerability(ies).
I don't think KimsCrafts is all too much unlike many companies of similar size. These companies see the potential money to be made through the internet (e-commerce), but do not necessarily employ the security required of such endeavors. Do these companies not get the necessary consultations? Do they rely on unqualified people to secure their operations, i.e. outsourced IT staff? Do they just not think of security until something happens? Do they not have the necessary resources (money and/or personnel)? Maybe it’s a combination of factors, but I wonder which are prevalent.
Additional tips (for what they are worth), in regards to transaction data and e-commerce site security:
- Development staff should become intimately familiar with the Open Web Application Security Project (OWASP)
- Only store the information that is absolutely necessary to retain. If you can run your e-commerce site effectively without storing credit card data, then don’t!
- Segment your web application/server from your database/server and apply separate network and operating system controls.
- Run host and network intrusion detection and prevention. At a minimum run network intrusion detection, but preferably both.
- If you can afford it, run a separate test and production environment. Run security assessments prior and after pushing code to production.
- Patch regularly (after testing)
- Employ a third-party to validate your results and suggest improvements
These are the tips off the top of my head. I am sure you can think of more, but this'll get ya started!
Past Breaches:
Unknown
Posts Atom 1.0
Comments