Heinemann-Raintree eCommerce site was breached 18 months ago
Technorati Tag: Security Breach
Date Reported:
7/15/08
Organization:
Pearson Education, Inc.
Contractor/Consultant/Branch:
Heinemann-Raintree
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"names, billing and shipping addresses, payment methods, and credit-card numbers"
Breach Description:
"Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products. We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products.
[Evan] Can we infer that most of the victims are teachers and/or parents?
We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised
[Evan] Securing ecommerce sites requires specialized skills. The fact that credit card data was compromised brings up the natural question as to whether or not the company was/is PCI-compliant. Not that PCI-compliance guarantees security.
We recently learned that in January 2007, an unauthorized person was able to obtain access to the database that contains the product information used by the Heunemann-Raintree websites.
[Evan] An "unauthorized person" gained unauthorized access to customer order information in January, 2007 and it was only recently learned?! This fact does not reflect well upon the security of the ecommerce site(s). From the PCI-DSS, Requirement 10: Track and monitor all access to network resources and cardholder data, section 10.6 "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." There is no excuse for a breach to go so long without detection.
This gave the person the ability to view information appearing on the websites, including information provided by our customers to buy Heinemann-Raintree products on the sites.
[Evan] It is not clear, but it seems as though the "unauthorized person" gained access in January, 2007 and maintained their access until it was "recently learned"!
As a result, this person may have been able to view our customers' names, billing and shipping addresses, payment methods, and credit-card numbers
When we learned of this unauthorized access, we immediately discontinued operation of the websites, on a temporary basis, and corrected the problem that was allowing the unauthorized access.
[Evan] Why rush now? Kidding.
The websites are now up and running, and we are safe and secure.
They can be reaches at www.heinemanraintree.com, www.heinemannlibrary.com, and www.heinemannclassroom.com
style="font-style: italic;">[Evan] I hope that most people click a link and are referred to these websites. There a pain in the rear to type.
As a result of this unauthorized access, it is possible that your credit card information could be misused, although at this time we have seen no evidence that this has occurred.
We have notified our credit card processor of this incident.
We also recommend that you contact your credit card issuer to advise them of this incident and to arrange for a new credit card.
Please know that we greatly regret that this incident occurred, and we have taken steps to correct the problem.
We are fully committed to protecting the privacy and confidentiality of our customers' personal information.
If you have any questions about this incident, about this letter, or about other issues raised here, please call the Heinemann-Raintree Customer Service Center at .
Commentary:
The letter to the affected customers was signed by Graham Shaw, the President of the company. I respect that.
The breach notification doesn't give us many details into how the site(s) was/were breached, in terms of the vulnerability(ies) that were exploited. The fact that the site was compromised for so long without detection is definitely cause for concern, but I presume that this has been corrected.
Past Breaches:
Unknown
Date Reported:7/15/08
Organization:
Pearson Education, Inc.
Contractor/Consultant/Branch:
Heinemann-Raintree
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"names, billing and shipping addresses, payment methods, and credit-card numbers"
Breach Description:
"Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products. We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can learn about and purchase our products.
[Evan] Can we infer that most of the victims are teachers and/or parents?
We have learned of a breach of the security of those websites, and wanted to inform you about it because your credit card data may have been compromised
[Evan] Securing ecommerce sites requires specialized skills. The fact that credit card data was compromised brings up the natural question as to whether or not the company was/is PCI-compliant. Not that PCI-compliance guarantees security.
We recently learned that in January 2007, an unauthorized person was able to obtain access to the database that contains the product information used by the Heunemann-Raintree websites.
[Evan] An "unauthorized person" gained unauthorized access to customer order information in January, 2007 and it was only recently learned?! This fact does not reflect well upon the security of the ecommerce site(s). From the PCI-DSS, Requirement 10: Track and monitor all access to network resources and cardholder data, section 10.6 "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." There is no excuse for a breach to go so long without detection.
This gave the person the ability to view information appearing on the websites, including information provided by our customers to buy Heinemann-Raintree products on the sites.
[Evan] It is not clear, but it seems as though the "unauthorized person" gained access in January, 2007 and maintained their access until it was "recently learned"!
As a result, this person may have been able to view our customers' names, billing and shipping addresses, payment methods, and credit-card numbers
When we learned of this unauthorized access, we immediately discontinued operation of the websites, on a temporary basis, and corrected the problem that was allowing the unauthorized access.
[Evan] Why rush now? Kidding.
The websites are now up and running, and we are safe and secure.
They can be reaches at www.heinemanraintree.com, www.heinemannlibrary.com, and www.heinemannclassroom.com
style="font-style: italic;">[Evan] I hope that most people click a link and are referred to these websites. There a pain in the rear to type.
As a result of this unauthorized access, it is possible that your credit card information could be misused, although at this time we have seen no evidence that this has occurred.
We have notified our credit card processor of this incident.
We also recommend that you contact your credit card issuer to advise them of this incident and to arrange for a new credit card.
Please know that we greatly regret that this incident occurred, and we have taken steps to correct the problem.
We are fully committed to protecting the privacy and confidentiality of our customers' personal information.
If you have any questions about this incident, about this letter, or about other issues raised here, please call the Heinemann-Raintree Customer Service Center at .
Commentary:
The letter to the affected customers was signed by Graham Shaw, the President of the company. I respect that.
The breach notification doesn't give us many details into how the site(s) was/were breached, in terms of the vulnerability(ies) that were exploited. The fact that the site was compromised for so long without detection is definitely cause for concern, but I presume that this has been corrected.
Past Breaches:
Unknown
Posted by Evan Francen at 7/22/2008 1:01 PM 
Categories: Intrusion, Pearson Education, Heinemann-Raintree
Categories: Intrusion, Pearson Education, Heinemann-Raintree
Posts Atom 1.0
Comments