Digital River breach affects "a dozen different companies"
|
Date Reported:
6/4/10
Organization:
Digital River, Inc.
Contractor/Consultant/Branch:
Digital River Marketing Solutions, Inc. (DirectTrack)
Location:
Pittsburgh, Pennsylvania
Victims:
Digital River, "a dozen different companies", and individuals
Number Affected:
198,398 (unconfirmed)
Types of Data:
"names, e-mail addresses, websites, company names and unique user-identification numbers"
Breach Description:
"A massive data theft from the e-commerce company Digital River Inc. has led investigators to hackers in India and a 20-year-old in New York who allegedly tried to sell the information to a Colorado marketing firm for half a million dollars. "
Reference URL:
Star Tribune
TradingMarkets.com
Top Tech News
The Register
Report Credit:
Dan Browning, Star Tribune
Response:
From the online sources cited above:
E-commerce company Digital River exposed data belonging to almost 200,000 individuals after hackers executed a “highly unusual search command” against its secured servers, according to a news report.
[Evan] Oooh. Sounds super-sophisticated, almost.
The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data for as much as $500,000, The Minneapolis Star-Tribune reported Friday.
After Eric Porat made repeated attempts to persuade a company called Media Breakaway to buy the information, company officials alerted their counterparts at Digital River, the paper reported, citing court documents.
[Evan] Most crooks are stupid. At least we have that going for us.
A federal grand jury is investigating the matter with help from the FBI.
The data contained names, email addresses, websites, and unique user-identification numbers for 198,398 individuals.
These data are valuable to companies seeking targeted marketing lists of potential customers.
It was originally gathered by affiliated marketing companies using software offered by Digital Rivers subsidiary Direct Response Technologies and stored on password-protected servers.
[Evan] The software is called DirectTrack. I think most people don't even realize that companies collect this kind of data about them.
It was stolen in late January using a “highly unusual” search command. The report didn't elaborate.
[Evan] I wonder what the "highly unusual" search command was, and why intrusion detection/prevention systems didn't alert on it. An important purpose of intrusion detection/prevention systems is to alert on unusual and/or suspect activity.
Porat, who lives at home with his parents, allegedly claimed to offer the data to the highest bidder.
He told the CEO of Media Breakaway he obtained it from a former Digital River consultant, who managed to siphon it off the servers when security systems were taken down temporarily.
Digital River suspects the information was stolen by hackers in New Delhi, possibly with inside help.
"I fully suspect that Mr. Porat hacked the hacker," said Christopher Madel, an attorney with Robins, Kaplan, Miller and Ciresi who is overseeing Digital River's investigation.
Orders filed under seal last month block Porat from selling, destroying, altering, or distributing the data.
Additional Information:
Scott Richter, CEO of Media Breakaway, said in a court filing that Porat claimed to be offering the DirectTrack data to the highest bidder.
Gary Olden, vice president of product management at Digital River Marketing, said in a court filing that an internal investigation found that the stolen data was accessed Jan. 27 from four different computers linked to a DirectTrack customer Relevant Products/Services in New Delhi named VCommission, or Vaxat iTech Pvt. Ltd.
He said the data was downloaded using a "highly unusual" search command.
Olden said he could find only one other instance where that type of command was used to access DirectTrack data.
It took place six hours after the command was issued in India, and it came from another customer, Clickbooth/IntegraClick, a marketing firm in Sarasota, Fla.
In that case, though, the user only accessed Clickbooth/IntegraClick's own data, he said.
Olden said his customers and clients view data security as an important component of DirectTrack, as they have "a significant interest in ensuring that their customer lists are not made available to their competitors (let alone sold to the highest bidder)."
Commentary:
So was this a successful "hack" against Digital River servers, or was this data stolen by a consultant working for the company, as claimed by Mr. Porat? In order for us to determine for ourselves, we need more information. According to the news reports, Digital River does suggest the possibility of inside help. Heck, this breach could be the result of something as simple as a compromised set of user credentials and SQL injection. The fact that only 200,000 records are reported leads me to believe that the bad guys only had access to a subset of information and/or they only had access for a short time. So many questions. Maybe we'll find out someday, maybe we won't.
It doesn't look good when you don't detect or respond to a technical breach in a timely manner. The breach occurred on January 27th, and the lawsuit was filed on May 13th . It also doesn't look good when you only become aware that a breach occurred through a competitor.
It will be interesting to read more about this in the coming weeks/months.
Past Breaches:
Unknown
Posts Atom 1.0
Comments