The Image Group site falls victim to SQL injection
Technorati Tag: Security Breach
Date Reported:
9/29/08
Organization:
The Image Group
Contractor/Consultant/Branch:
None*
*The website domain related to this incident is theideacatalog.com, for which the registrant and administrative contact is Target Marketing. The IP address for the www.ideacatalog.com website is 74.84.205.104 and belongs to the block 74.84.205.0 - 74.84.205.255, which is assigned to Target Marketing. The site may have been developed and/or managed by Target Marketing.
Location:
Charlotte, North Carolina
Victims:
Online customers
Number Affected:
Unknown**
**There are 37 New Hampshire residents affected, but the total is unknown.
Types of Data:
"Name, credit card/debit card number, expiration date, address and the CVV code"
Breach Description:
The Image Group has notified the New Hampshire State Attorney General and online customers that their e-commerce site fell victim to a series of successful SQL injection attacks from January to August, 2008. The compromised database contained sensitive personal and financial information belonging to customers of the company.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent security incident involving The Image Group, headquartered in Ohio.
From January to August of this year, hackers through the use of a hacker tool known as SQL injection were able to access names and credit or debit card information of the persons who placed orders on our e-commerce site.
[Evan] Seven months of SQL injection attacks? Sheesh. SQL injection attacks have been around almost as long as SQL itself. ecommerce site developers and operators should now better. Either The Image Group ecommerce site was not tested for PCI DSS compliance or their ASV (Approved Scanning Vendor) should be fired. "Web applications must be tested for SQL injection and cross-site scripting vulnerabilities" Source: Payment Card Industry (PCI) Data Security Standard Technical and Operational Requirements for Approved Scanning Vendors (ASVs).
While this was discovered in August, it appears that the unauthorized access began in January and occurred again in August of this year.
Name, credit card/debit card number, expiration date, address and the CVV code that you provided that is on the back of your credit card.
[Evan] Storing CVV codes is a definite no-no and is a non-compliant practice.
No social security numbers or dates of birth were involved.
Upon learning of the breach, we shut down the web site through which the unauthorized access occurred.
In addition, we had a forensic audit performed and we have commenced or concluded the remedial actions suggested within the audit.
[Evan] I wonder who conducted the audit and what exactly came of it.
We are also working with our merchant bank and the Card Associations to address issues associated with the credit card information taken and to notify the issuing banks for those cards.
We intend to send the enclosed letter to the affected persons on October 6, 2008.
We deeply regret this unfortunate situation
We sincerely apologize for any inconvenience that this may cause you.
If you have additional questions, please call us toll-free at
Commentary:
There are thousands of ecommerce sites like The Image Group's site. It is a sad situation. It stinks when information security is an afterthought. There are few excuses for SQL injection attacks nowadays and there is no excuse for the lack of testing on a regular basis. The decision to store CVV codes obviously didn't help matters either.
Past Breaches:
Unknown
Date Reported:9/29/08
Organization:
The Image Group
Contractor/Consultant/Branch:
None*
*The website domain related to this incident is theideacatalog.com, for which the registrant and administrative contact is Target Marketing. The IP address for the www.ideacatalog.com website is 74.84.205.104 and belongs to the block 74.84.205.0 - 74.84.205.255, which is assigned to Target Marketing. The site may have been developed and/or managed by Target Marketing.
Location:
Charlotte, North Carolina
Victims:
Online customers
Number Affected:
Unknown**
**There are 37 New Hampshire residents affected, but the total is unknown.
Types of Data:
"Name, credit card/debit card number, expiration date, address and the CVV code"
Breach Description:
The Image Group has notified the New Hampshire State Attorney General and online customers that their e-commerce site fell victim to a series of successful SQL injection attacks from January to August, 2008. The compromised database contained sensitive personal and financial information belonging to customers of the company.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent security incident involving The Image Group, headquartered in Ohio.
From January to August of this year, hackers through the use of a hacker tool known as SQL injection were able to access names and credit or debit card information of the persons who placed orders on our e-commerce site.
[Evan] Seven months of SQL injection attacks? Sheesh. SQL injection attacks have been around almost as long as SQL itself. ecommerce site developers and operators should now better. Either The Image Group ecommerce site was not tested for PCI DSS compliance or their ASV (Approved Scanning Vendor) should be fired. "Web applications must be tested for SQL injection and cross-site scripting vulnerabilities" Source: Payment Card Industry (PCI) Data Security Standard Technical and Operational Requirements for Approved Scanning Vendors (ASVs).
While this was discovered in August, it appears that the unauthorized access began in January and occurred again in August of this year.
Name, credit card/debit card number, expiration date, address and the CVV code that you provided that is on the back of your credit card.
[Evan] Storing CVV codes is a definite no-no and is a non-compliant practice.
No social security numbers or dates of birth were involved.
Upon learning of the breach, we shut down the web site through which the unauthorized access occurred.
In addition, we had a forensic audit performed and we have commenced or concluded the remedial actions suggested within the audit.
[Evan] I wonder who conducted the audit and what exactly came of it.
We are also working with our merchant bank and the Card Associations to address issues associated with the credit card information taken and to notify the issuing banks for those cards.
We intend to send the enclosed letter to the affected persons on October 6, 2008.
We deeply regret this unfortunate situation
We sincerely apologize for any inconvenience that this may cause you.
If you have additional questions, please call us toll-free at
Commentary:
There are thousands of ecommerce sites like The Image Group's site. It is a sad situation. It stinks when information security is an afterthought. There are few excuses for SQL injection attacks nowadays and there is no excuse for the lack of testing on a regular basis. The decision to store CVV codes obviously didn't help matters either.
Past Breaches:
Unknown
Posts Atom 1.0
Comments