SQL injections compromise Balmar e-commerce site
Technorati Tag: Security Breach
Date Reported:
6/3/08
Organization:
Balmar Incorporated
Arts Education Partnership ("AEP")
Contractor/Consultant/Branch:
Unnamed hosting provider
Victims:
Online customers
Number Affected:
Unknown
Types of Data:
Names, addresses, telephone numbers, emails, and credit card information.
Breach Description:
Balmar Incorporated notified the Maryland State Attorney General of a breach that occurred sometime between April 4, 2008 and April 30, 2008, in which sensitive customer information was compromised through their ecommerce site.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
Maryland State Attorney General
Response:
From the online source cited above:
Balmar Incorporated ("Balmar") recently experienced a data security breach in its e-commerce site server.
Balmar has reason to believe that the personal information of seven (7) of its online customers who reside in the State of Maryland may have been accessed sometime between April 4, 2008 and April 30, 2008 without proper authorization.
[Evan] The sensitive information may have been accessed sometime during the 26 days listed above, but as you will read later on in the notification, the attack started as early as March 27th.
The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.
Balmar has determined that at least one fraudulent credit card transaction has occurred as a result of this incident.
[Evan] This is likely confirmation that the sensitive information WAS accessed, not "may have been" as stated previously.
A full analysis of our e-commerce server logs revealed on March 27, 2008, an individual initiated several SQL-injections queries on the main page of our e-commerce website from an IP address in Viet Nam.
[Evan] I am pleased to read that Balmar had/has implemented enough logging to determine the type and source of the attack. I am curious to know why the e-commerce site was under attack from March 27th until as late as April 30th without detection? Either the Balmar e-commerce site was not protected by intrusion detection/prevention or information security personnel didn't know how to use intrusion detection/prevention. IDS/IPS is a must-have for e-commerce platforms in most circumstances. Part of using IDS/IPS is to review and investigate alerts ASAP.
Random queries were attempted over time through March 31st.
By March 31st, the individual had gathered enough information to pipe the queries to a search bot.
By April 4th, the search bot was able to access and transfer data from our e-commerce server to a web page.
Once discovered, Balmar immediately undertook the following actions:
Balmar's investigation of this incident is ongoing.
We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains our top priority.
[Evan] This letter is signed by the President of Balmar, Bruce Seger. I respect a business leader that speaks (or writes) about information security issues. It demonstrates his/her ownership.
We have made and will continue to make significant investments in security software, systems, and procedures, and will remain vigilant in protecting you.
For more information, contact us by telephone at 1 or by email at .
Commentary:
Was this an e-commerce site running code that was susceptible to SQL injection attacks and no host or network intrusion detection/prevention?
Past Breaches:
Unknown
Date Reported:6/3/08
Organization:
Balmar Incorporated
Arts Education Partnership ("AEP")
Contractor/Consultant/Branch:
Unnamed hosting provider
Victims:
Online customers
Number Affected:
Unknown
Types of Data:
Names, addresses, telephone numbers, emails, and credit card information.
Breach Description:
Balmar Incorporated notified the Maryland State Attorney General of a breach that occurred sometime between April 4, 2008 and April 30, 2008, in which sensitive customer information was compromised through their ecommerce site.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
Maryland State Attorney General
Response:
From the online source cited above:
Balmar Incorporated ("Balmar") recently experienced a data security breach in its e-commerce site server.
Balmar has reason to believe that the personal information of seven (7) of its online customers who reside in the State of Maryland may have been accessed sometime between April 4, 2008 and April 30, 2008 without proper authorization.
[Evan] The sensitive information may have been accessed sometime during the 26 days listed above, but as you will read later on in the notification, the attack started as early as March 27th.
The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.
Balmar has determined that at least one fraudulent credit card transaction has occurred as a result of this incident.
[Evan] This is likely confirmation that the sensitive information WAS accessed, not "may have been" as stated previously.
A full analysis of our e-commerce server logs revealed on March 27, 2008, an individual initiated several SQL-injections queries on the main page of our e-commerce website from an IP address in Viet Nam.
[Evan] I am pleased to read that Balmar had/has implemented enough logging to determine the type and source of the attack. I am curious to know why the e-commerce site was under attack from March 27th until as late as April 30th without detection? Either the Balmar e-commerce site was not protected by intrusion detection/prevention or information security personnel didn't know how to use intrusion detection/prevention. IDS/IPS is a must-have for e-commerce platforms in most circumstances. Part of using IDS/IPS is to review and investigate alerts ASAP.
Random queries were attempted over time through March 31st.
By March 31st, the individual had gathered enough information to pipe the queries to a search bot.
By April 4th, the search bot was able to access and transfer data from our e-commerce server to a web page.
Once discovered, Balmar immediately undertook the following actions:
- Reported the incident to the Virginia State Police and the FBI;
- Contacted the web page host to demand that the page be disabled;
- Removed all credit card information from the affected area of our database and moved it to a secured area of the database that cannot be accessed by the method used during the incident;
- Installed an additional database security solution to detect and prevent any future attempted security breaches;
- Sent notice to affected customers by letter and e-mail
Balmar's investigation of this incident is ongoing.
We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains our top priority.
[Evan] This letter is signed by the President of Balmar, Bruce Seger. I respect a business leader that speaks (or writes) about information security issues. It demonstrates his/her ownership.
We have made and will continue to make significant investments in security software, systems, and procedures, and will remain vigilant in protecting you.
For more information, contact us by telephone at 1 or by email at .
Commentary:
Was this an e-commerce site running code that was susceptible to SQL injection attacks and no host or network intrusion detection/prevention?
Past Breaches:
Unknown
Posts Atom 1.0
Comments