Altman Weil online store compromised
Technorati Tag: Security Breach
Date Reported:
5/27/08
Organization:
Altman Weil, Inc.
Contractor/Consultant/Branch:
Unnamed web hosting vendor
Victims:
Customers
Number Affected:
Unknown*
*21 Maryland residents were affected
Types of Data:
"credit card information"
Breach Description:
On May 16, 2008, Altman Weil was notified by the company that hosts their on-line web store that credit card information belonging to Altman Weil customers was compromised through a "SQL virus" attack.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
On May 16, 2008, we were advised by the company that hosts our On-line Store website that an external virus (known as the SQL virus) access their server and may have attacked the credit card information of certain Altman Weil customers.
[Evan] What is "the SQL virus"? Is this referring to an attack like that in this story "Huge Web hack attack infects 500,000 pages", an attack like the Slammer worm (some would argue that this is the true "SQL virus") or just poor coding that led to a simple SQL injection attack?
Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access is no longer possible.
We were told by the hosting company that the server on which the On-line Store resider was password protected and had current firewalls and security protection, by we understand that the SQL virus may nonetheless have accessed credit card information
[Evan] I doubt that the password protection or "current firewalls and security protection" would have had much effect against poor coding or missing patches. The term "current firewalls and security protection" is pretty subjective, so I can only speculate.
We are actively investigating this attack and are also addressing this incident to fully determine the extent to which credit card information of our customers may have been accessed.
We are looking for any help that your office or other state and/or federal agencies might be able to provide in assisting us to identify and pursue those responsible for this attack.
[Evan] This is an interesting request. I think this is the first time that I have read where a company asks for assistance from the Attorney General.
Here are the steps we have taken to date, we:
For more information contact Joann Miller, at Altman Weil, Inc. at , or via email at:
Commentary:
This is an interesting breach although we are not really clear of the details due to the terminology used in the notification.
Past Breaches:
Unknown
Date Reported:5/27/08
Organization:
Altman Weil, Inc.
Contractor/Consultant/Branch:
Unnamed web hosting vendor
Victims:
Customers
Number Affected:
Unknown*
*21 Maryland residents were affected
Types of Data:
"credit card information"
Breach Description:
On May 16, 2008, Altman Weil was notified by the company that hosts their on-line web store that credit card information belonging to Altman Weil customers was compromised through a "SQL virus" attack.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
On May 16, 2008, we were advised by the company that hosts our On-line Store website that an external virus (known as the SQL virus) access their server and may have attacked the credit card information of certain Altman Weil customers.
[Evan] What is "the SQL virus"? Is this referring to an attack like that in this story "Huge Web hack attack infects 500,000 pages", an attack like the Slammer worm (some would argue that this is the true "SQL virus") or just poor coding that led to a simple SQL injection attack?
Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access is no longer possible.
We were told by the hosting company that the server on which the On-line Store resider was password protected and had current firewalls and security protection, by we understand that the SQL virus may nonetheless have accessed credit card information
[Evan] I doubt that the password protection or "current firewalls and security protection" would have had much effect against poor coding or missing patches. The term "current firewalls and security protection" is pretty subjective, so I can only speculate.
We are actively investigating this attack and are also addressing this incident to fully determine the extent to which credit card information of our customers may have been accessed.
We are looking for any help that your office or other state and/or federal agencies might be able to provide in assisting us to identify and pursue those responsible for this attack.
[Evan] This is an interesting request. I think this is the first time that I have read where a company asks for assistance from the Attorney General.
Here are the steps we have taken to date, we:
- On May 16, 2008, notified the Merchant Bank, Bryn Mawr Trust of the potential security breach
- On May 16, 2008, learned that Bryn Mawr Trust outsources the actual credit card functions of the Merchant Bank to TransFirst.
- On May 16, 2008, contacted TransFirst and notified it of the potential security breach and was informed that it would notify the three credit card companies, Visa, MasterCard and American Express.
- On May 16, 2008, Altman Weil independently notified Visa, MasterCard, and American Express of the potential security breach.
- On Saturday, May 24, 2008, notified all card holders whose cards were current (i.e. the expiration dates had not kicked in yet) by telephone calls placed.
- Notified all card holders by letter of the situation and the possible risk
- Notified the following law enforcement agencies:
- Local police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008.
- Secret Service's ECTF and Electronic Crimes Working Group on May 24, 2008.
- Every state Attorney General in the states where potentially affected cardholders reside on May 27, 2008.
- Federal Trade Commission on May 27, 2008.
- Office of Thrift Supervision on May 27, 2008.
- Office of the Comptroller of the Currency on May 27, 2008.
- Federal Deposit Insurance Corporation on May 27, 2008.
- Board of Governors of the Federal Reserve System on May 27, 2008
- Assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.
- Retained forensic auditors at are [sic] own expense to undertake a thorough technical investigation of the cause and extent of the breach.
- Committed to be back in touch with those customers who might be at risk with further information, once we have it.
For more information contact Joann Miller, at Altman Weil, Inc. at , or via email at:
Commentary:
This is an interesting breach although we are not really clear of the details due to the terminology used in the notification.
Past Breaches:
Unknown
Posts Atom 1.0
Comments