A breach involving Gloria Jean's Coffees' e-commerce site
Technorati Tag: Security Breach
Date Reported:
9/17/08
Organization:
Gloria Jean's Coffees
Contractor/Consultant/Branch:
Smith Micro, Inc.
Location:
Irvine, California
Victims:
Online customers
Number Affected:
511
Types of Data:
"may include customer names, addresses, telephone numbers, emails, and credit card information"
Breach Description:
"We regret to inform you that earlier this month, our www.gloriajeans.com website was the subject of an illegal attack that allowed an unknown person or persons to obtain the addresses and credit card numbers of some of our valued customers as they were placing orders on our site."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to NH. Rev. Stat. 359-C:20, this letter is to inform you that Gloria Jeans Coffee (Gloria Jean's) recently experienced a data security breach in its e-commerce site hosted by Smith Micro, Inc.
[Evan] I don't think this is the same Smith Micro as in Smith Micro Software, but this is the only Smith Micro that I know of.
The total customers affected by this breach were five hundred and eleven (511).
The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.
Gloria Jean's has not determined that any fraudulent credit card transaction has occurred as a result of this incident.
A full analysis of our e-commerce server files revealed on September 4th, 2008 an individual initiated modifications to our checkout web pages from a shared IP address located in the United States.
On September 10, 2008, the intrusion was identified and we learned that the modifications were able to access and screen capture the personal transaction information and dump the information to an external server and log file.
[Evan] This is interesting. The intruder was able to manipulate the checkout process in order to grab screen captures? This means that the attacker likely got "card not present" information such as CVVs (Card Verification Values). I wonder how this was done exactly. Based on the dates (9/4 - 9/10) and the number of exposed customers (511), we can infer how busy the Gloria Jean's e-commerce site is.
At no time was our encrypted database exposed to this intrusion.
Because we do not collect your Social Security Number or other financial account information, the attacker has access to only your credit card number, name and address.
[Evan] and CVVs
Source: Pinoy Padala Online
Once discovered, Gloria Jean's immediately undertook the following actions:
We also have added a number of additional security enhancements to our web site to prevent a recurrence of this attack
[Evan] Like what?
Gloria Jean's investigation of this incident is ongoing in cooperation with its initial report and provision of materials to a representative from the ECTF.
Commentary:
Do you wonder if Gloria Jean's e-commerce site was PCI compliant? I do, and additionally I wonder how often the security of the site was tested and why they appeared to have no employed intrusion detection/prevention.
Gloria Jean's does deserve some credit for a speedy response.
Past Breaches:
Unknown
Date Reported:9/17/08
Organization:
Gloria Jean's Coffees
Contractor/Consultant/Branch:
Smith Micro, Inc.
Location:
Irvine, California
Victims:
Online customers
Number Affected:
511
Types of Data:
"may include customer names, addresses, telephone numbers, emails, and credit card information"
Breach Description:
"We regret to inform you that earlier this month, our www.gloriajeans.com website was the subject of an illegal attack that allowed an unknown person or persons to obtain the addresses and credit card numbers of some of our valued customers as they were placing orders on our site."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to NH. Rev. Stat. 359-C:20, this letter is to inform you that Gloria Jeans Coffee (Gloria Jean's) recently experienced a data security breach in its e-commerce site hosted by Smith Micro, Inc.
[Evan] I don't think this is the same Smith Micro as in Smith Micro Software, but this is the only Smith Micro that I know of.
The total customers affected by this breach were five hundred and eleven (511).
The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.
Gloria Jean's has not determined that any fraudulent credit card transaction has occurred as a result of this incident.
A full analysis of our e-commerce server files revealed on September 4th, 2008 an individual initiated modifications to our checkout web pages from a shared IP address located in the United States.
On September 10, 2008, the intrusion was identified and we learned that the modifications were able to access and screen capture the personal transaction information and dump the information to an external server and log file.
[Evan] This is interesting. The intruder was able to manipulate the checkout process in order to grab screen captures? This means that the attacker likely got "card not present" information such as CVVs (Card Verification Values). I wonder how this was done exactly. Based on the dates (9/4 - 9/10) and the number of exposed customers (511), we can infer how busy the Gloria Jean's e-commerce site is.
At no time was our encrypted database exposed to this intrusion.
Because we do not collect your Social Security Number or other financial account information, the attacker has access to only your credit card number, name and address.
[Evan] and CVVs
Source: Pinoy Padala Online
Once discovered, Gloria Jean's immediately undertook the following actions:
- Took its website off line and confirmed that there was no malicious or unauthorized code included as part of its website before returning the site was returned to service [sic];
- Contacted the server host of the intruder's log file with consumer information to have the IP address disabled and inaccessible;
- Installed server security solutions to detect and prevent any medications[sic] to our web pages with out proper authorization;
- Locked down File Transfer Protocol (FTP) to specific IP's and implemented SSL encryption to this service for our website;
- Reported the incident and provided relevant materials to the United States Secret Service Electronics Crimes Task Force (ECTF)
- Sent notice to affected customers by U.S. First Class mail and email
We also have added a number of additional security enhancements to our web site to prevent a recurrence of this attack
[Evan] Like what?
Gloria Jean's investigation of this incident is ongoing in cooperation with its initial report and provision of materials to a representative from the ECTF.
Commentary:
Do you wonder if Gloria Jean's e-commerce site was PCI compliant? I do, and additionally I wonder how often the security of the site was tested and why they appeared to have no employed intrusion detection/prevention.
Gloria Jean's does deserve some credit for a speedy response.
Past Breaches:
Unknown
Posts Atom 1.0
Comments