Burlington Coat Factory’s Site Shut Down By DDOS Attack, 45-Hour Incident Complicated By Comments

Written by Evan Schuman
May 12th, 2011

Attackers shut down the Burlington Coat Factory chain’s site late Sunday (May 8) with a distributed denial of service attack, one that kept the site and its mobile counterpart shuttered until mid-afternoon Tuesday (May 10). The 45-hour incident was complicated by a CIO statement that “there was no breach of security systems”—proving a negative is never easy—and by some customer service representatives who told customers a very different story.

Problems were first detected with Burlington’s main site—called—about 4 PM (New York time) on Sunday (May 8), when Web uptime tracking site AlertBot noticed “intermittent outages.” The site then went completely dark at about 5:20 AM Monday (May 9), said AlertBot’s Justin Noll.

Burlington’s official version is slightly different, with a statement issued by CIO Dennis Hodgson saying that the chain “was subjected to a denial of service attack early” Monday.

In a clarification E-mail exchange, Hodgson corrected his reference to a DOS attack to the more extensive DDOS. “It was in fact a DDOS attack that flooded our servers with traffic,” Hodgson wrote. No clarification was offered on the timing.

The CIO statement—without mentioning times—said that the chain “decided to shut down its site while we worked on a solution.” It’s unclear if it was Burlington that caused the full shutdown at 5:20 AM Monday or if was the attackers, with Burlington opting to not try to bring the site up while a defense was mounted.

From a retail strategy position, though, the more interesting comment was the next line: “We have determined that there was no breach of its security systems.” This raises a few issues. The typical post-breach comment—to comfort customers who are worried about stolen payment-card data or personal information sought by identity thieves—is more reserved, such as “at this stage of our investigation, we have found no evidence of any data breach.”

To outright pledge that there was no breach seems ill-advised. The best cyberthief attacks carefully hide their tracks, leaving little to no evidence of their data-copying efforts. Indeed, in the details that came out this month from the massive Sony data breach, the attackers literally used a DOS attack as a diversion while they engaged in a data breach impacting more than 100 million accounts.

The other issue with the security statement is the phrase “no breach of its security systems.” It seems as though the CIO’s intent was to make clear that neither payment-card nor PII data seemed to have impacted. But isn’t the mere act of a successful DDOS attack clearly a breach of a chain’s security systems?

To say that cyberhoodlums deprived your customers of your site—and deprived your chain of its ability to make cyber sales and to direct customers to its stores and its mobile site—and did so against the law and to then say that “there was no breach of security systems” is truly baffling.

Further complicating the situation were some customer service people—specifically handling the Web site—who told callers that the site was down because an update at one of Burlington’s site—Baby Depot—inserted a duplicate product code, which cascaded into a problem with a large number of product codes. Hodgson quickly said that Baby Depot had nothing to do with the incident and that the chain had not been discussing the particulars of the attack with customer service call center people at that point.

That is absolutely the proper way to handle such a matter. But it does bring up a cyber-attack-related training and policy issue. Although nature may indeed love a vacuum, customer service reps—the ones who will be dealing with your customers during an incident like this—decidedly do not, especially an information vacuum.

Faced with questions, they will tend to repeat rumors, make guesses and do anything else they can think of to avoid sounding out-of-the-loop. If answers will make customers happier, they’ll offer some. This is true unless the company has specific answers that it gives reps the instant a problem kicks in. Focusing elsewhere and letting the call center people fend for themselves for hours may have them giving answers you won’t be happy with.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.