Network Solutions Data Breach Hits 574,000 Consumers

Written by Evan Schuman
July 27th, 2009

An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses.

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.

The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?) Visa has been fine-tuning its revisionist-history dance, where it has declared that no PCI compliant organization has ever been breached, forcing the card brand to find a reason to unvalidate any entity that had been certified compliant. A statement from the PCI Council on Monday (July 27) laid the groundwork for taking back the PCI certification that assessor PSC granted them last Halloween. (A PCI certification that is good only until a breach happens? Now that’s a scary retail trick-or-treat.)

The statement under the name of Bob Russo, the general manager for the PCI Security Standards Council, said: “Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status.” The statement then said that ongoing vigilance is essential in maintaining PCI compliance. Once again, the retailer dreams of a PCI Safe Harbor are just that.

Back to the Network Solutions breach. Network Solutions provides a full E-Commerce suite, designed for very small retailers. Although a small business is generally defined as fewer than 100 employees, Network Solutions PR Director Susan Wade said “Our average merchant tends to have fewer than ten employees.” It has the usual shopping cart and design elements, which is customized for thousands of small retailers. Each retailer has to arrange for its own processor, of course, but Network Solutions relays the credit card info from its site to the processor chosen by that merchant.

During an ordinary maintenance sweep in early June, Wade said, code was discovered on certain parts of various servers. Network Solutions CEO Roy Dunbar said in a letter: “We believe that some credit card transactions that took place on your website this past spring were intentionally diverted from certain of our servers to servers outside Network Solutions by an unknown source.”

Network Solutions brought in General Dynamics to help diagnose the problem. General Dynamics is getting to be an old hand at such matters, given that it had performed the same sort of post-breach evaluation for TJX and also worked with Hannaford on boosting its post-breach security.

“It took quite a while to crack the code,” Wade said, adding that they finally figured out “some of the code” on July 13 and saw that it had been grabbing payment data and sending it outside the network.

The E-Commerce vendor was able to identify very specific numbers of those impacted—4,343 retailers and 573,928 consumers—because “that’s the number of sites that were on the portions of the servers that were impacted,” Wade said, adding that the impacted transactions were made between March 12, 2009 and June 8, 2009.


6 Comments | Read Network Solutions Data Breach Hits 574,000 Consumers

  1. Della Lowe Says:

    Compliant but not secure – it is a chant that security vendors have been singing for some time and getting accused of just trying to sell their wares. A breach of this enormity while “compliant” should send a real message to those who are still looking at the cost/benefit analysis and betting that they won’t get breached. One telling quote in your piece is “During an ordinary maintenance sweep in early June.” Do you leave your house and only lock the door once every three months. To protect your network and your data you need not only strong encryption but also 24×7 monitoring of both your wired and your wireless network(s).

  2. Todd Michaud Says:

    The quote about a merchant being considered compliant until there is a breach (and then having that compliance revoked) is outrageous. First Hannaford, now Network Solutions, who is next. What is the point of gaining compliance?

    To me the scary part of this is that since PCI-DSS cannot seem to “manage” the issue, states are taking matters in their own hands and in most cases taking horrible approaches (it is almost impossible for a small retailer to be compliant with the new Massachussets data privacy law). It’s only a matter of time before Congress tries to stave off the state laws with some expansion of FACTA or something new all together. I am not looking forward to that day.

  3. Tom Mahoney Says:

    Once again the industry is doing its best to put all the blame on the path of least resistance – the merchant.

  4. susan champoion Says:

    The scariest part of it all is that no matter what they do the data is still there in some format. The goal is to somehow remove all the data. If thieves can’t find a good pond to fish in with lots of fish (all the credit card data); they have to go somewhere else.

  5. Greg McGraw Says:

    A more cautionary note would be… OK. Network Solutions got hacked over an 88 day period. Was this exclusive to them? Probably not. What about the small retailers hosting at GoDaddy,, HostGator, etc. These same malicious activities are going on elsewhere as we speak. I hope someone is checking them out. So what’s the solution? Change the old approach. Merchants need to eliminate capturing, storing and tranmitting payment data. Period. Investigate alternative solutions or services like hosted payment page technologies from a level 1 service provider. If you can’t lock down the sensitive data, get rid of it. There are other ways to securely serve your customers.

  6. Affected Consumer Says:

    The consumers are the ones getting screwed. Our credit card numbers have been stolen and the merchants bitch and moan about their names being associated with the theft?!? I want to know which merchants were affected so I can figure out which of my cards was affected and cancel it. Forget about free credit monitoring, which is just a scam to sign me up for a “free trial period” and then slam me for monthly charges, and requires that I provide personal information (including SSN) in electronic, duplicable form to yet another faceless, anonymouse corporate behemoth who doesn’t give a rat’s a$$ about security. But god forbid I be given any useful information at all about my own f-ing financial transactions.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.