SQL injection compromises MLSgear.com customer information
Technorati Tag: Security Breach
Date Reported:
2/1/08
Organization:
Major League Soccer, L.L.C.
Contractor/Consultant/Branch:
MLSgear.com
Unnamed hosting provider
Victims:
MLSgear.com customers
Number Affected:
Unknown*
*MLSgear.com informed the New Hampshire Attorney General that there are 169 affected persons in her state
Types of Data:
Names, addresses, credit and debit card information, and MLSGear.com passwords
Breach Description:
An unauthorized third-party attempted to obtain access to, and may have accessed personal information belonging to MLSgear.com customers through the use of SQL injection attacks carried out on the MLSgear.com web site between January and August, 2007.
Reference URL:
The New Hampshire State Attorney General breach notification
Computerworld online story
PogoWasRight.org report
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
It has recently come to our attention that an unauthorized third party has attempted to obtain access to, and may have accessed the personal information of customers of the MLSGear.com website
Based upon the forensic audit we commissioned upon the request of Visa and MasterCard, our current understanding of this situation is that these third parties used SQL Injection attacks between January and August 2007, and may have obtained names, addresses, credit and debit card information, and MLSGear.com passwords, that had been stored on computer servers operated by a third party service provider.
[Evan] SQL Injection attacks have been around ever since there was SQL (a long time!). SecuriTeam has a pretty good explanation of how it works, or a pretty good demo on .
We have a zero tolerance policy when it comes to protection of our customers' personal information and consequently, we are terminating our relationship with that e-commerce provider.
[Evan] I don't know who MLSgear.com was hosted with before, but they appear to be hosted by GSI Commerce at the time I am writing this. GSI Commerce also hosts Liz Claiborne, Dicks Sporting Goods, Polo, Major League Baseball, Radioshack, NASCAR, among others.
We have also taken immediate steps to further strengthen our already stringent security measures to safeguard the privacy of customer personal and credit information, including purging all passwords
We are notifying on approximately February 1, 2008, all customers whose information was potentially affected by the above-described activity.
we have arranged for and are offering to all affected customers one year of credit monitoring services and, if necessary credit restoration with Kroll Background America, Inc., free to the customer
[Evan] Affected customers are not signed-up automatically, they will need to follow the instructions received in their letter.
We have also contacted federal law enforcement and are currently working with the Federal Bureau of Investigation. Further, we are working with VISA, Mastercard and Chase Paymentech our credit card payment processor on this issue
Please be assured that MLSGear.com remains committed to ensuring the safety and security of our customers' sensitive personal information. We appreciate your support and sincerely apologize for this incident.
Commentary:
There were 169 affected individuals in New Hampshire alone. I imagine that the total number globally could be much larger. Victims aren't as much at risk of identity theft as they are of credit card fraud. If an affected customer knows which card they used for purchases on MLSgear.com, they should cancel the card and get a new one (with a new number).
SQL injection attacks should have been detected through the quarterly online security scans that are required as part of VISA compliance.
Past Breaches:
Unknown
Date Reported:2/1/08
Organization:
Major League Soccer, L.L.C.
Contractor/Consultant/Branch:
MLSgear.com
Unnamed hosting provider
Victims:
MLSgear.com customers
Number Affected:
Unknown*
*MLSgear.com informed the New Hampshire Attorney General that there are 169 affected persons in her state
Types of Data:
Names, addresses, credit and debit card information, and MLSGear.com passwords
Breach Description:
An unauthorized third-party attempted to obtain access to, and may have accessed personal information belonging to MLSgear.com customers through the use of SQL injection attacks carried out on the MLSgear.com web site between January and August, 2007.
Reference URL:
The New Hampshire State Attorney General breach notification
Computerworld online story
PogoWasRight.org report
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
It has recently come to our attention that an unauthorized third party has attempted to obtain access to, and may have accessed the personal information of customers of the MLSGear.com website
Based upon the forensic audit we commissioned upon the request of Visa and MasterCard, our current understanding of this situation is that these third parties used SQL Injection attacks between January and August 2007, and may have obtained names, addresses, credit and debit card information, and MLSGear.com passwords, that had been stored on computer servers operated by a third party service provider.
[Evan] SQL Injection attacks have been around ever since there was SQL (a long time!). SecuriTeam has a pretty good explanation of how it works, or a pretty good demo on .
We have a zero tolerance policy when it comes to protection of our customers' personal information and consequently, we are terminating our relationship with that e-commerce provider.
[Evan] I don't know who MLSgear.com was hosted with before, but they appear to be hosted by GSI Commerce at the time I am writing this. GSI Commerce also hosts Liz Claiborne, Dicks Sporting Goods, Polo, Major League Baseball, Radioshack, NASCAR, among others.
We have also taken immediate steps to further strengthen our already stringent security measures to safeguard the privacy of customer personal and credit information, including purging all passwords
We are notifying on approximately February 1, 2008, all customers whose information was potentially affected by the above-described activity.
we have arranged for and are offering to all affected customers one year of credit monitoring services and, if necessary credit restoration with Kroll Background America, Inc., free to the customer
[Evan] Affected customers are not signed-up automatically, they will need to follow the instructions received in their letter.
We have also contacted federal law enforcement and are currently working with the Federal Bureau of Investigation. Further, we are working with VISA, Mastercard and Chase Paymentech our credit card payment processor on this issue
Please be assured that MLSGear.com remains committed to ensuring the safety and security of our customers' sensitive personal information. We appreciate your support and sincerely apologize for this incident.
Commentary:
There were 169 affected individuals in New Hampshire alone. I imagine that the total number globally could be much larger. Victims aren't as much at risk of identity theft as they are of credit card fraud. If an affected customer knows which card they used for purchases on MLSgear.com, they should cancel the card and get a new one (with a new number).
SQL injection attacks should have been detected through the quarterly online security scans that are required as part of VISA compliance.
Past Breaches:
Unknown
Posts Atom 1.0
Comments