This is page 2 of:
Network Solutions Data Breach Hits 574,000 Consumers
Curiously, though, the retailer had been told of no attempts—successful or otherwise—to access the stolen credit card data, Wade said. Had a gang of professional data thieves grabbed the data months ago, the group would presumably have tried using the data, given the short life expectancy of stolen credit card numbers.
Network Solutions created a Web site to tell its customers—and their customers—about the breach. But a fascinating discussion among those smaller retailers started in one of their discussion pages. The merchants were upset about the letter that was being sent to the merchants’ consumer customers. The letter was being by Trans Union, which Network Solutions hired to contact consumers and to guarantee them one year of free credit monitoring.
The retail objections? Overwhelmingly, they were objecting to their retail brands being mentioned in the letter, which seems odd given that it’s the only name those consumers would recognize.
One comment summed up the concerns: “I understand you (are) doing everything by law to have this corrected and settled. I want to see an updated tentative letter that does not disclose any URL or merchant name. This was not the fault of the URL or Merchant. This was solely the fault of a security breach within Network Solution. Your customers chose companies like you to avoid situations like this. We pay thousands of dollars a year between hosting, security, and PCI scanning to ensure our sites are parked on secure servers. I as well as anybody know horrible situations in business arise, but you will not display your merchants information when contacted shoppers. More importantly you will plainly write in simple language so simple people can understand that “This was not at all the fault of the merchant or website but solely the fault of network solution”. You don’t seem to understand the severity of this situation. Not only was information taken off of sites within your company, but it was also sent out for 4 months. There were 2 breaches going on that went unnoticed. And now you have the audacity to put your merchants name in a letter. IT WAS NOT OUR FAULT. I also strongly suggest you start crediting your almost 5000 affected merchants their SSL money and HackerSafe money back, as this is just a license to steal. Credit Card information was compromised by the fault of Network Solution again not at the fault of any of your merchants.”
Another poster took exception to the letter’s opening line, which read “TransUnion is contacting you at the request of (insert merchant URL) and its credit software support partner, Network Solutions LLC.
“That letter, in that form, is a disaster. Read the first sentence! Does NS expect me to take the fall for their security issues? Why should my company take the blame? And that is exactly who my customer will blame when they get that letter. Who do you think they are going to call? If my websites names are included in that letter and I get bad reviews or press online who will take care of that? Do you really think any of those customers will ever buy from me or refer other customers to me again? Please review the letter from a merchant standpoint and how it will impact our business. We did nothing wrong as far as I know.”
Network Solutions replied that it was considering phrasing changes in the letter.
There’s a fascinating discussion over at Slashdot where a reader claiming to be a former Network Solutions IT person is saying that Network Solutions routinely retains full credit card numbers and passwords in plain text. With the strong disclaimer that we don’t know who the poster really is, whether he/she was actually a Network Solutions employee and—perhaps most critically—when the employment supposedly happened, if the comments are true, it would go far in explaining why so much data was sitting around Network Solutions, waiting to be stolen.
For the record, we asked Wade to comment on the posting and she didn’t refute or confirm the comments made. “We don’t have any comment on that. We’re focused on helping our merchants and their customers and on working with the authorities to complete the investigation into this matter. “
-Marc
July 29th, 2009 at 3:31 pm
Compliant but not secure – it is a chant that security vendors have been singing for some time and getting accused of just trying to sell their wares. A breach of this enormity while “compliant” should send a real message to those who are still looking at the cost/benefit analysis and betting that they won’t get breached. One telling quote in your piece is “During an ordinary maintenance sweep in early June.” Do you leave your house and only lock the door once every three months. To protect your network and your data you need not only strong encryption but also 24×7 monitoring of both your wired and your wireless network(s).
July 30th, 2009 at 2:54 pm
The quote about a merchant being considered compliant until there is a breach (and then having that compliance revoked) is outrageous. First Hannaford, now Network Solutions, who is next. What is the point of gaining compliance?
To me the scary part of this is that since PCI-DSS cannot seem to “manage” the issue, states are taking matters in their own hands and in most cases taking horrible approaches (it is almost impossible for a small retailer to be compliant with the new Massachussets data privacy law). It’s only a matter of time before Congress tries to stave off the state laws with some expansion of FACTA or something new all together. I am not looking forward to that day.
August 4th, 2009 at 5:25 pm
Once again the industry is doing its best to put all the blame on the path of least resistance – the merchant.
August 4th, 2009 at 5:26 pm
The scariest part of it all is that no matter what they do the data is still there in some format. The goal is to somehow remove all the data. If thieves can’t find a good pond to fish in with lots of fish (all the credit card data); they have to go somewhere else.
August 6th, 2009 at 10:05 am
A more cautionary note would be… OK. Network Solutions got hacked over an 88 day period. Was this exclusive to them? Probably not. What about the small retailers hosting at GoDaddy, Web.com, HostGator, etc. These same malicious activities are going on elsewhere as we speak. I hope someone is checking them out. So what’s the solution? Change the old approach. Merchants need to eliminate capturing, storing and tranmitting payment data. Period. Investigate alternative solutions or services like hosted payment page technologies from a level 1 service provider. If you can’t lock down the sensitive data, get rid of it. There are other ways to securely serve your customers.
August 28th, 2009 at 11:13 am
The consumers are the ones getting screwed. Our credit card numbers have been stolen and the merchants bitch and moan about their names being associated with the theft?!? I want to know which merchants were affected so I can figure out which of my cards was affected and cancel it. Forget about free credit monitoring, which is just a scam to sign me up for a “free trial period” and then slam me for monthly charges, and requires that I provide personal information (including SSN) in electronic, duplicable form to yet another faceless, anonymouse corporate behemoth who doesn’t give a rat’s a$$ about security. But god forbid I be given any useful information at all about my own f-ing financial transactions.