Intrusion at Stedmans.com exposes credit card information
Technorati Tag: Security Breach
Date Reported:
3/10/08
Organization:
Wolters Kluwer
Contractor/Consultant/Branch:
Lippincott Williams & Wilkins
Stedman's
Bixler Incorporated
Victims:
Customers who made online purchases from Stedman's between August 30th, 2007 and February 27th, 2008
Number Affected:
Unknown*
*There were 25 New Hampshire residents affected. The total number affected is expected to be much larger.
Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers.
Breach Description:
"On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website.
[Evan] The company that hosts stedmans.com is Bixler Incorporated.
The personal information that may have been comprised may include names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers of individuals who made purchases at the site from approximately August 30, 2007 to February 27, 2008.
[Evan] Storing card verification numbers is a violation of the Payment Card Industry (PCI) Data Security Standard. According to Requirement 3: Protect stored cardholder data, Section 3.2.1 "NEVER store the card verification code or value or PIN verification value data elements." and 3.2.2 "Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions" Stedmans.com was not compliant with the standard. Why wasn't the site compliant, and what vulnerability was exploited?
The company has contacted the three major national credit reporting agencies, and the company mailed a notice to consumers who may have been affected by this incident on March 10, 2008
[Evan] It would be a better idea to contact Visa and Mastercard than it would be to contact the credit reporting agencies. If the information was limited to what was reported, then there is not a high risk of immediate identity theft (no Social Security numbers in particular). There is a medium to high risk of credit card fraud, which is much different.
We are working with our website hosting company on additional security measures for the Stedmans.com website
[Evan] It would be a good idea to work with information security professionals (third-party review).
we have arranged with Equifax Personal Solutions to provide potentially affected consumers with an opportunity to enroll in the Equifax Credit Watch Gold identity theft protection product at no cost to them for one year
[Evan] Again, this is not really an identity theft issue. It is a credit card fraud issue. Two related but different issues.
Lippincott Williams & Wilkins is committed to maintaining and protecting the confidentiality of our customers' personal, private, and sensitive information. We regret that this situation has occurred, and we will be working to reduce the risks of a similar situation happening in the future.
Commentary:
This breach certainly affects much more than the 25 New Hampshire residents mentioned in the breach notification to the New Hampshire State Attorney General. I am disappointed by appearance that stedmans.com was not VISA/PCI DSS compliant and the response that shows a misunderstanding of risks. Stedmans.com customers are mostly people in the medical field, so I am guessing that many of these credit cards have limits that exceed mine.
Past Breaches:
Unknown
Date Reported:3/10/08
Organization:
Wolters Kluwer
Contractor/Consultant/Branch:
Lippincott Williams & Wilkins
Stedman's
Bixler Incorporated
Victims:
Customers who made online purchases from Stedman's between August 30th, 2007 and February 27th, 2008
Number Affected:
Unknown*
*There were 25 New Hampshire residents affected. The total number affected is expected to be much larger.
Types of Data:
Names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers.
Breach Description:
"On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On February 27, 2008, Lippincott Williams & Wilkins, a Wolters Kluwer business was informed by the company that hosts one of our websites, www.stedmans.com, that personal information collected from consumers through the website may have been compromised through an unauthorized intrusion into the server that stores information from individuals who purchased products at our website.
[Evan] The company that hosts stedmans.com is Bixler Incorporated.
The personal information that may have been comprised may include names, addresses, telephone numbers, email addresses, credit card numbers, expiration dates, and card verification numbers of individuals who made purchases at the site from approximately August 30, 2007 to February 27, 2008.
[Evan] Storing card verification numbers is a violation of the Payment Card Industry (PCI) Data Security Standard. According to Requirement 3: Protect stored cardholder data, Section 3.2.1 "NEVER store the card verification code or value or PIN verification value data elements." and 3.2.2 "Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions" Stedmans.com was not compliant with the standard. Why wasn't the site compliant, and what vulnerability was exploited?
The company has contacted the three major national credit reporting agencies, and the company mailed a notice to consumers who may have been affected by this incident on March 10, 2008
[Evan] It would be a better idea to contact Visa and Mastercard than it would be to contact the credit reporting agencies. If the information was limited to what was reported, then there is not a high risk of immediate identity theft (no Social Security numbers in particular). There is a medium to high risk of credit card fraud, which is much different.
We are working with our website hosting company on additional security measures for the Stedmans.com website
[Evan] It would be a good idea to work with information security professionals (third-party review).
we have arranged with Equifax Personal Solutions to provide potentially affected consumers with an opportunity to enroll in the Equifax Credit Watch Gold identity theft protection product at no cost to them for one year
[Evan] Again, this is not really an identity theft issue. It is a credit card fraud issue. Two related but different issues.
Lippincott Williams & Wilkins is committed to maintaining and protecting the confidentiality of our customers' personal, private, and sensitive information. We regret that this situation has occurred, and we will be working to reduce the risks of a similar situation happening in the future.
Commentary:
This breach certainly affects much more than the 25 New Hampshire residents mentioned in the breach notification to the New Hampshire State Attorney General. I am disappointed by appearance that stedmans.com was not VISA/PCI DSS compliant and the response that shows a misunderstanding of risks. Stedmans.com customers are mostly people in the medical field, so I am guessing that many of these credit cards have limits that exceed mine.
Past Breaches:
Unknown
Posted by Evan Francen at 3/23/2008 12:19 AM 
Categories: Wolters Kluwer, Stedman's, Lippincott Williams and Wilkins, Bixler Incorporated, Hack
Categories: Wolters Kluwer, Stedman's, Lippincott Williams and Wilkins, Bixler Incorporated, Hack
Posts Atom 1.0
Comments