Online intruder makes off with SwimwearBoutique.com customer data
Technorati Tag: Security Breach
Date Reported:
4/16/08
Organization:
Swimwear Boutique ("SWB")
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, email address, SWB account password, and credit card information
Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.
Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.
We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.
These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?
We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.
We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.
SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.
We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.
We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.
Notification letters will be sent out on April 23, 2008.
Affected customers also can contact us for more information at 1-866-SWIMWEAR.
In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.
We are committed to helping our customers affected by these criminal acts.
We deeply regret that a valued customer like you may have been affected by the criminals.
Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.
A tip for online consumers:
Check out . "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.
Past Breaches:
None
Date Reported:4/16/08
Organization:
Swimwear Boutique ("SWB")
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown
Types of Data:
Name, address, email address, SWB account password, and credit card information
Breach Description:
SwimwearBoutique.com "recently discovered that a person may have illegally gained unauthorized access to your personal information stored in your SWB account. We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008. The information accessed varied, but could have included your name, address, email address, SWB account password, and credit card account number"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to you on behalf of my client SwimwearBoutique.com ("SWB") because it determined on March 28, 2008 that it was the victim of an illegal intrusion into its systems.
Criminals unlawfully obtained access to certain databases containing various information, which could have included names, addresses, and credit card information of approximately 37 residents of New Hampshire, who were SWB customers.
[Evan] 37 residents in New Hampshire alone. I assume that the number nation/worldwide would be much higher.
We believe that this person unlawfully accessed the SWB Internet site between March 26, 2008 and March 28, 2008.
These criminals also corrupted data maintained by SWB, rendering certain data unreadable and unusable.
[Evan] Could this be the purpose behind the SWB note on their Sign In page?
We reported this crime to the Dallas office of the United States Secret Service, and are assisting with the investigation.
We hope that the criminals responsible will be apprehended and prosecuted to the fullest extent of the law.
[Evan] Geez. I think we all hope for this, but the reality is that online intruders are rarely caught and prosecuted.
SWB also worked with its existing Internet security provider, McAfee, to determine how these criminals gained access to this information and immediately implemented measures to counter such unlawful conduct.
We are monitoring the site for further attempts to break into the site and we continue to work with McAfee to maintain the security of the site.
[Evan] Although I don't see the "Hacker Safe" seal anywhere on the site today, this is the McAfee service that SwimwearBoutique.com uses. In January, 2008 we reported the Geeks.com (also a Hacker Safe customer) breach.
We already have notified our merchant bank and are cooperating with it to provide a list of the affected individuals to it.
Notification letters will be sent out on April 23, 2008.
Affected customers also can contact us for more information at 1-866-SWIMWEAR.
In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection Network.
[Evan] This statement is included in the letter to the New Hampshire State Attorney General. I did NOT see any reference to this in the letter that went to affected customers. Huh.
We are committed to helping our customers affected by these criminal acts.
We deeply regret that a valued customer like you may have been affected by the criminals.
Commentary:
People like simple solutions and quick fixes which often seem to lead to shortcuts and a false sense of security. Does a "Hacker Safe" seal or PCI compliance mean that your credit card information will be safe? No, it certainly doesn't. Understand these for what they are, a baseline level of security that only meets a certain number of requirements. There is a heckuva lot more to information security. Don't get me wrong, I think that requirements and baselines are important, but they are not more than a cog in a complex machine.
A tip for online consumers:
Check out . "PayPal Virtual Debit Card generates a virtual card number each time you make a transaction online so you don't have to use your personal debit or credit card number." A one time credit card number. If your card number is compromised, it only affects the one transaction. Fraudsters are unable to rack up additional charges. Cool.
Past Breaches:
None
Posts Atom 1.0
As reported here :
You were reading the letter correctly -- the service is not being offered to everyone -- only those customers who call and request assistance. We confirmed that with their lawyer.
SWB's lawyer also informs our site that about 8,000 customers were affected.
Reply to this
I am one of Swimwearboutique.com's victims. My credit card information was breached and I received charges that were not mine on my statement, my card was denied to other vendors because it was determined that there was fraud. No one from Swimwearboutique.com had the courtesy to call me and I know that they knew about this for a month. They have not returned my calls, although I left messages for the President, Peggie Perryman. I have also not heard about any identity security subscription.
To add insult to injury I never received my swimsuit, so I cancelled my order. I intend to spread the word, that Swimwearboutique.com is not too be trusted with personal information.
Reply to this
I too was a victim of this websites lax security. My credit card information and identy was stolen. My calls and e-mails were ignored. When you call this company they don't even want to give out their names or give you any information, let alone an apology or compensation for your losses. This is a low class operation and I wonder how they stay in business.
Reply to this
H: if you're pretty sure that your problems stem from this incident and if you cannot get a response by calling SWB, try calling their lawyer, Ronald Raether, at or email him at and tell him his client is not responding and you want the police file number to contact the police, and that you want the LoudSiren service, etc. See if that helps.
Sorry you're going through all this.
Reply to this