Cotton Traders confirms that their website was compromised
Technorati Tag: Security Breach
Date Reported:
6/10/08
Organization:
Cotton Traders Ltd.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"thought to be up to 38,000"*
*Cotton Traders claims this figure is "widely inaccurate" but isn't supplying the correct figure
Types of Data:
"addresses and credit card details"
Breach Description:
"Clothing firm Cotton Traders has confirmed that customers’ addresses and credit card details were stolen during a hack on its website in January."
Reference URL:
BBC News
Information Age
CNET Networks (Silicon.com)
The Register
Report Credit:
BBC News and an informed reader of The Breach Blog
Response:
From the online sources cited above:
The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website
It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.
[Evan] Why is Cotton Traders not disclosing the number of persons affected by the breach? I think they do more damage to their reputation by not appearing open and honest about the breach. I can't think of any significant risk in sharing this information.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January
"Those involved were notified at the time and card replaced,"
[Evan] Really? In what manner were the people involved notified? Typically, when people are notified, they talk and/or share their experiences. BBC News reports about this breach ~5 months after the incident, so I wonder if people really were notified "at the time".
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud
customer addresses were also stolen in the hack
a specialist police force was investigating the case
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website
[Evan] Hmmm. How and where was the data encrypted? Due to the lack of disclosed details, we are left to speculate. I can tell you from my past experiences that encryption is typically used for data in transit (from the front-end web server to the client) and sometimes where data is at rest (stored in the database). It is not uncommon for data to flow unencrypted between the back-end (database) and front-end (web server). Let's assume that this was a well architected ecommerce platform (from an information security standpoint), and that data is encrypted between the front and back end components. The information still exists for a some amount of time on the front-end server in a non-encrypted state. If the front-end web server were compromised, it is completely conceivable that the information confidentiality was compromised. I am not even going to speculate where and how encryption keys could be managed, but obviously this is another critical component of the architecture.
Cotton Traders, a specialist clothing outfit founded by ex-England rugby stars Fran Cotton and Steve Smith, said the potential to misuse the data is low because the credit card information was encrypted.
[Evan] See my comments above. More information is required before a claim like the "potential to misuse the data is low" can be verified.
Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
[Evan] Who are the "industry security experts"?
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
"We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
The exact method used to hack the Cotton Traders website is not known.
Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".
[Evan] How do you make a claim like this and not share?! If other major retailers "would be vulnerable to the same attack", then shouldn't they and the information security industry be notified ASAP? Maybe they/we have, but I don't think so. The fact that the bad guys share information so much better than us good guys has been an "industry vulnerability" that has existed for many years. This seems like another example of the communication barrier that still exists between "industry experts".
The firm has said customers worried about their cards should contact their card provider.
Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.
[Evan] Unfortunately, we need laws to force organizations to do the right things that they should have been doing all along. If organizations were managed well globally, would we need laws like breach notification statutes, SOX, HIPAA. etc.? The chances of organizations being well managed globally is a pipe dream.
Commentary:
I don't know what irks me more about breaches like this, the breach itself or the poor response.
Past Breaches:
Unknown
Date Reported: 6/10/08
Organization:
Cotton Traders Ltd.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
"thought to be up to 38,000"*
*Cotton Traders claims this figure is "widely inaccurate" but isn't supplying the correct figure
Types of Data:
"addresses and credit card details"
Breach Description:
"Clothing firm Cotton Traders has confirmed that customers’ addresses and credit card details were stolen during a hack on its website in January."
Reference URL:
BBC News
Information Age
CNET Networks (Silicon.com)
The Register
Report Credit:
BBC News and an informed reader of The Breach Blog
Response:
From the online sources cited above:
The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website
It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.
[Evan] Why is Cotton Traders not disclosing the number of persons affected by the breach? I think they do more damage to their reputation by not appearing open and honest about the breach. I can't think of any significant risk in sharing this information.
The firm has not confirmed the size of the breach but it has acknowledged the site was attacked early this year.
Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped in January
"Those involved were notified at the time and card replaced,"
[Evan] Really? In what manner were the people involved notified? Typically, when people are notified, they talk and/or share their experiences. BBC News reports about this breach ~5 months after the incident, so I wonder if people really were notified "at the time".
The payment industry's trade body said it was serious because hackers accessed details for "card not present" fraud
customer addresses were also stolen in the hack
a specialist police force was investigating the case
In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website
[Evan] Hmmm. How and where was the data encrypted? Due to the lack of disclosed details, we are left to speculate. I can tell you from my past experiences that encryption is typically used for data in transit (from the front-end web server to the client) and sometimes where data is at rest (stored in the database). It is not uncommon for data to flow unencrypted between the back-end (database) and front-end (web server). Let's assume that this was a well architected ecommerce platform (from an information security standpoint), and that data is encrypted between the front and back end components. The information still exists for a some amount of time on the front-end server in a non-encrypted state. If the front-end web server were compromised, it is completely conceivable that the information confidentiality was compromised. I am not even going to speculate where and how encryption keys could be managed, but obviously this is another critical component of the architecture.
Cotton Traders, a specialist clothing outfit founded by ex-England rugby stars Fran Cotton and Steve Smith, said the potential to misuse the data is low because the credit card information was encrypted.
[Evan] See my comments above. More information is required before a claim like the "potential to misuse the data is low" can be verified.
Earlier this year we identified a security issue. We immediately brought in industry security experts to resolve the problem.
[Evan] Who are the "industry security experts"?
"Cotton Traders have recently upgraded all security on their website which has been validated by leading Industry experts."
"We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards."
The exact method used to hack the Cotton Traders website is not known.
Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".
[Evan] How do you make a claim like this and not share?! If other major retailers "would be vulnerable to the same attack", then shouldn't they and the information security industry be notified ASAP? Maybe they/we have, but I don't think so. The fact that the bad guys share information so much better than us good guys has been an "industry vulnerability" that has existed for many years. This seems like another example of the communication barrier that still exists between "industry experts".
The firm has said customers worried about their cards should contact their card provider.
Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.
[Evan] Unfortunately, we need laws to force organizations to do the right things that they should have been doing all along. If organizations were managed well globally, would we need laws like breach notification statutes, SOX, HIPAA. etc.? The chances of organizations being well managed globally is a pipe dream.
Commentary:
I don't know what irks me more about breaches like this, the breach itself or the poor response.
Past Breaches:
Unknown
Evan: As a society, why do we emphasize how bad merchants are at securing payment card data? The banks invented the credit card system, not the merchants. The banks designed (and aggressively promoted) a system that made credit card data valuable to hackers. Then, as an afterthought, the banks imposed the PCI on the merchants. As we complain about lazy merchants allowing payment data to escape, why don't we demand that the banks change their system and make card data less of a target for criminals? --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Reply to this
Hi Ben,
Good questions. I think society places emphasis on the merchant because they are the most visible in breach announcement. As a collector of information, does responsibility not rest with them to secure it? It doesn't matter if someone collects credit card information, Social Security numbers, medical information, etc. Sensitive and confidential information requires protection commensurate with its sensitivity/criticality and risk of loss.
There have been lessons learned in every breach I have ever responded to or written about. I certainly don't place all of the blame on merchants. They just play a significant role. Banks, Visa, MasterCard, merchants, card processors, victims, criminals, etc. all play a role in the big picture. Poor information security is poor information security. I just call it like I see it.
I agree with you. The payment card system is broken in my opinion too, but so is the credit reporting system, Social Security system (the practice of using the same number for identification AND authentication), medical records collection and reporting, the insurance industry, and on and on.
The privacy industry is in need of innovative ideas and talented people. I had a debate with someone today that claimed we are heading towards a world no too far from that described in the book 1984. I don't think we will be getting that far anytime soon, but who knows.
I think I ranted a little, eh?
Reply to this
Evan said: "As a collector of information, does responsibility not rest with them [merchants] to secure it?" My response: The question whether a particular unit of data needs to be secured depends on whether the unit of data fits into a system that considers the data valuable or sensitive. For example, you may have noticed that some banks offer "one-time" credit card numbers. When the merchant receives one of those numbers, the need to secure it is very, very low compared to the need to secure typical credit card numbers. After it has been used, a one-time number is useless to a criminal. Hence, the answer to your question is that collection of data does not necessarily equal an obligation to secure data. In report, after report, after report, society complains about the merchant losing data. But in those reports we never hear complains about the architecture of the credit card system. The banks designed a system that makes normal credit card numbers sensitive. The system does not have to be designed that way! The banks imposed the current system on the merchants not vice versa. I therefore say merchants need a break, and we need a new credit card system because in truth it is very hard for mere merchants to secure credit card data. What do you think? --Ben http://hack-igations.blogspot.com/2008/04/more-on-tjx-data-breach-and-federal.html
Reply to this
Not only did I write "As a collector of information, does responsibility not rest with them", but I also wrote "Sensitive and confidential information requires protection commensurate with its sensitivity/criticality and risk of loss". I am not referring to one-time, dynamic credit card numbers (such as PayPal's Virtual Debit Card) as this would not necessarily be classified as sensitive or critical. I am generalizing credit card and transaction information. If a merchant has the ability to differentiate one-time card numbers from semi-permanent card numbers, then they may choose to classify this information differently. If they do not have this ability, then there is a strong argument that they should treat all credit card numbers and transactions as sensitive and/or critical.
Again, I agree with your assessment that the architecture (from merchant to bank) and design of credit card processing is flawed. These are largely closed systems that are not open to detailed scrutiny, unless a person is willing to wander into the "gray" area of information security, which personally I am not willing to do publicly.
Where we differ in opinion appears to be in the merchant's role. I see your argument and respect it as valid. I think merchants need to held accountable to a degree. I also think that the degree of accountability differs from case to case. I support more accountability for banks and processors (this is more complex than I think I know).
I appreciate your comments. One of the goals of this blog is to spur thought in people (security professionals and non-professionals alike), and I think your comments certainly do that. Thanks!
Reply to this
My wife has just found that £1150 has been taken from her debit card and it only have been as a result of a purchase from Cotton Traders as this has been the only on-line transaction.
She is ULTRA careful with her card.
Reply to this