Online theft and fraud involves OSU Bookstore customers
Technorati Tag: Security Breach
Date Reported:
6/3/08
Organization:
Oregon State University
Contractor/Consultant/Branch:
OSU Bookstore, Inc.*
*OSU Bookstore is a nonprofit corporation that has been serving Oregon State University and the town of Corvallis since 1914. Our main store is located in the Memorial Union on the Oregon State University campus. Today, as in 1914, the bookstore is governed by a Board of Directors composed of faculty, staff, and students of Oregon State University.
Victims:
Online customers
Number Affected:
"as many as 4,700"
Types of Data:
Personal information including credit card numbers
Breach Description:
"The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."
Reference URL:
Albany Democrat Herald
Associated Press via KVAL Channel 13 News
KVAL Channel 13 News
Report Credit:
Albany Democrat Herald
Response:
From the online sources cited above:
CORVALLIS, Ore. (AP) - Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.
In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders.
[Evan] Unfortunately, the bookstore did not appear to be monitoring web traffic to and from the server to detect unusual (and potentially attack) traffic. The fact that this detective control was missing from the security architecture meant that the bookstore had to rely on customers to tell them something was wrong. An incident response should have probably been initiated at this point (March not May).
Then last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders
Bookstore General Manager Steve Eckrich says servers were shut down when the security breach was discovered.
[Evan] 2+ months after the bookstore was originally notified that something was wrong. At the time of this post, the site is still down.
"They tried different attacks and our Web site evidently had one vulnerability in it," said General Manager Steve Eckrich.
[Evan] I would bet my cup of coffee that the Web site had more than on vulnerability! I love my coffee. Where is the IDS/IPS?
The Bookstore has alerted its online customers who had made a purchase
State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.
The OSU Bookstore has hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.
[Evan] Good call it just stinks that the bookstore was reactive and not proactive.
"We'll be using their recommendations not only to solve that particular problem that was exploited but to add additional layers of security on top of that so that information is not exposed or cannot be exposed in the way that it was,"
[Evan] Another good call.
Commentary:
Obviously the OSU Bookstore did not employ the proper security controls to #1 secure the site, #2 detect a breach, and #3 respond to a breach. Three strikes. Poor planning and poor implementation. I hope that OSU Bookstore, Inc. takes the proper steps to formalize their information security program and reduce risk. We'll see.
Past Breaches:
Unknown
Date Reported:6/3/08
Organization:
Oregon State University
Contractor/Consultant/Branch:
OSU Bookstore, Inc.*
*OSU Bookstore is a nonprofit corporation that has been serving Oregon State University and the town of Corvallis since 1914. Our main store is located in the Memorial Union on the Oregon State University campus. Today, as in 1914, the bookstore is governed by a Board of Directors composed of faculty, staff, and students of Oregon State University.
Victims:
Online customers
Number Affected:
"as many as 4,700"
Types of Data:
Personal information including credit card numbers
Breach Description:
"The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."
Reference URL:
Albany Democrat Herald
Associated Press via KVAL Channel 13 News
KVAL Channel 13 News
Report Credit:
Albany Democrat Herald
Response:
From the online sources cited above:
CORVALLIS, Ore. (AP) - Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.
In March, OSP began investigation into a report that approximately 30 OSU Bookstore customers’ personal information may have been compromised following online orders.
[Evan] Unfortunately, the bookstore did not appear to be monitoring web traffic to and from the server to detect unusual (and potentially attack) traffic. The fact that this detective control was missing from the security architecture meant that the bookstore had to rely on customers to tell them something was wrong. An incident response should have probably been initiated at this point (March not May).
Then last week, telephone calls and e-mails began coming into the bookstore from customers who had noticed fraudulent charges on their credit cards almost immediately after placing online orders
Bookstore General Manager Steve Eckrich says servers were shut down when the security breach was discovered.
[Evan] 2+ months after the bookstore was originally notified that something was wrong. At the time of this post, the site is still down.
"They tried different attacks and our Web site evidently had one vulnerability in it," said General Manager Steve Eckrich.
[Evan] I would bet my cup of coffee that the Web site had more than on vulnerability! I love my coffee. Where is the IDS/IPS?
The Bookstore has alerted its online customers who had made a purchase
State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.
The OSU Bookstore has hired an outside agency to help with its own investigation and to provide guidance on strengthened security safeguards for its computing network.
[Evan] Good call it just stinks that the bookstore was reactive and not proactive.
"We'll be using their recommendations not only to solve that particular problem that was exploited but to add additional layers of security on top of that so that information is not exposed or cannot be exposed in the way that it was,"
[Evan] Another good call.
Commentary:
Obviously the OSU Bookstore did not employ the proper security controls to #1 secure the site, #2 detect a breach, and #3 respond to a breach. Three strikes. Poor planning and poor implementation. I hope that OSU Bookstore, Inc. takes the proper steps to formalize their information security program and reduce risk. We'll see.
Past Breaches:
Unknown
Posted by Evan Francen at 6/5/2008 9:36 AM 
Categories: Oregon State University, OSU Bookstore Inc, Hack
Categories: Oregon State University, OSU Bookstore Inc, Hack
Posts Atom 1.0
Comments