Sundown Mountain Resort customer information compromised
Technorati Tag: Security Breach
Date Reported:
11/20/08
Organization:
Sundown Mountain Resort
Contractor/Consultant/Branch:
Net-Smart
Location:
Dubuque, Iowa
Victims:
Online customers
Number Affected:
Unknown
Types of Data:
"credit card information"
Breach Description:
"On Tuesday, Sundown Mountain alerted its online customers that their credit card information might have been compromised."
Reference URL:
Telegraph Herald
Report Credit:
Courtney Blanchard, Telegraph Herald
Response:
From the online sources cited above:
On Tuesday, Sundown Mountain alerted its online customers that their credit card information might have been compromised.
[Evan] It seems as though everybody wants to offer the convenience of shopping online to their customers, but not everybody knows how to do so securely.
General Manager Mark Dietz said the leak appears to have occurred between Nov. 5 and Nov. 9, in the days leading up to the resort's open house when prices for season passes increase by $100.
"All we know is something happened through our Web site or Web host," Dietz said.
[Evan] This is scary. Who is investigating?
He declined to comment on how many customers were affected but said purchases made over the phone or in person were safe.
The company temporarily disabled online purchases and is working to change the Web site.
[Evan] At the time of this posting, online purchases are still disabled. There is no mention of the breach on the site however.
In this case, the security breach appears to be isolated, said Dubuque City Council member and Net-Smart President Kevin Lynch.
Net-Smart, a local company that hosts several Web sites, operates the Sundown site.
[Evan] There are at least 33 other web sites that resolve to the same IP address (likely hosted on the same server). Let's hope that this breach is "isolated"! The fact that nobody is really sure how this breach happened doesn't instill much confidence, does it?
"It's a grim reminder that we all need to be extra vigilant and do things that are necessary to protect ourselves (online)," he said.
Lynch said he was unsure how the credit card numbers became available, whether it was an outside hacker or someone local who discovered a password written down somewhere.
[Evan] Mr. Deitz (Sundown Mountain Resort GM) does know and Mr. Lynch (Net-Smart President) does know either.
"It could have happened in any one of a dozen different places where people could gain access to things," he said.
[Evan] Risk management? Have the "dozen different places" been identified and was anything done to mitigate the risk? Were the "dozen different places" monitored and activity logged?
Despite the risks, local experts say that shopping online is getting safer as technology improves.
[Evan] I don't know if I agree.
"In my opinion, if you take advantage of the security features available at most financial institutions, I would say that shopping online is safer now than it was in the past," said Gregg Liddle, executive vice president of operations at Dupaco Community Credit Union.
Banks now offer services like "Verified by Visa" that allow customers to create a password to use along with a credit card number, he said.
[Evan] "Verified by Visa" helps protect customers, but it does not address poor information security practices on the part of the merchant.
Most financial institutions and companies also monitor activity on credit cards.
"This neural network has the ability to flag a suspicious transaction, block it and attempt to notify the cardholder to verify that the transaction is legitimate," Liddle said.
The most common red flags are purchases made far outside the local area, across the country or overseas, said Bret Tuley, vice president of operations and finance for Dubuque Bank & Trust.
"If you're going to travel internationally, it's a good tip to tell your bank first," Tuley said.
If someone discovers unauthorized charges, the best thing to do is to call the bank and get a new card.
[Evan] Excellent advice. Even if a person suspects that the confidentiality of his/her credit card information has been compromised, he/she should request a new card.
"If you're online, look to see you're on a secure Web site," Tuley said, referring to the symbol that appears on encrypted and secure sites.
[Evan] It is a good idea to look for the little lock symbol in your browser, but it does not ensure security. Recognize it for what it is. It may ensure that the site has a certificate (some legitimacy) and that the data is encrypted between the client and the server. It does nothing to protect information before or after the merchant has it.
The incident remains under investigation by the Dubuque County Sheriff's Department.
Commentary:
Nobody seems to know how it the breach happened and if nobody knows how it happened, how do they prevent it from happening again?
Past Breaches:
Unknown

11/20/08
Organization:
Sundown Mountain Resort
Contractor/Consultant/Branch:
Net-Smart
Location:
Dubuque, Iowa
Victims:
Online customers
Number Affected:
Unknown
Types of Data:
"credit card information"
Breach Description:
"On Tuesday, Sundown Mountain alerted its online customers that their credit card information might have been compromised."
Reference URL:
Telegraph Herald
Report Credit:
Courtney Blanchard, Telegraph Herald
Response:
From the online sources cited above:
On Tuesday, Sundown Mountain alerted its online customers that their credit card information might have been compromised.
[Evan] It seems as though everybody wants to offer the convenience of shopping online to their customers, but not everybody knows how to do so securely.
General Manager Mark Dietz said the leak appears to have occurred between Nov. 5 and Nov. 9, in the days leading up to the resort's open house when prices for season passes increase by $100.
"All we know is something happened through our Web site or Web host," Dietz said.
[Evan] This is scary. Who is investigating?
He declined to comment on how many customers were affected but said purchases made over the phone or in person were safe.
The company temporarily disabled online purchases and is working to change the Web site.
[Evan] At the time of this posting, online purchases are still disabled. There is no mention of the breach on the site however.
In this case, the security breach appears to be isolated, said Dubuque City Council member and Net-Smart President Kevin Lynch.
Net-Smart, a local company that hosts several Web sites, operates the Sundown site.
[Evan] There are at least 33 other web sites that resolve to the same IP address (likely hosted on the same server). Let's hope that this breach is "isolated"! The fact that nobody is really sure how this breach happened doesn't instill much confidence, does it?
"It's a grim reminder that we all need to be extra vigilant and do things that are necessary to protect ourselves (online)," he said.
Lynch said he was unsure how the credit card numbers became available, whether it was an outside hacker or someone local who discovered a password written down somewhere.
[Evan] Mr. Deitz (Sundown Mountain Resort GM) does know and Mr. Lynch (Net-Smart President) does know either.
"It could have happened in any one of a dozen different places where people could gain access to things," he said.
[Evan] Risk management? Have the "dozen different places" been identified and was anything done to mitigate the risk? Were the "dozen different places" monitored and activity logged?
Despite the risks, local experts say that shopping online is getting safer as technology improves.
[Evan] I don't know if I agree.
"In my opinion, if you take advantage of the security features available at most financial institutions, I would say that shopping online is safer now than it was in the past," said Gregg Liddle, executive vice president of operations at Dupaco Community Credit Union.
Banks now offer services like "Verified by Visa" that allow customers to create a password to use along with a credit card number, he said.
[Evan] "Verified by Visa" helps protect customers, but it does not address poor information security practices on the part of the merchant.
Most financial institutions and companies also monitor activity on credit cards.
"This neural network has the ability to flag a suspicious transaction, block it and attempt to notify the cardholder to verify that the transaction is legitimate," Liddle said.
The most common red flags are purchases made far outside the local area, across the country or overseas, said Bret Tuley, vice president of operations and finance for Dubuque Bank & Trust.
"If you're going to travel internationally, it's a good tip to tell your bank first," Tuley said.
If someone discovers unauthorized charges, the best thing to do is to call the bank and get a new card.
[Evan] Excellent advice. Even if a person suspects that the confidentiality of his/her credit card information has been compromised, he/she should request a new card.
"If you're online, look to see you're on a secure Web site," Tuley said, referring to the symbol that appears on encrypted and secure sites.
[Evan] It is a good idea to look for the little lock symbol in your browser, but it does not ensure security. Recognize it for what it is. It may ensure that the site has a certificate (some legitimacy) and that the data is encrypted between the client and the server. It does nothing to protect information before or after the merchant has it.
The incident remains under investigation by the Dubuque County Sheriff's Department.
Commentary:
Nobody seems to know how it the breach happened and if nobody knows how it happened, how do they prevent it from happening again?
Past Breaches:
Unknown
Comments