Posts Tagged: Clive Over


15
Apr 14

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time. Continue reading →


17
Mar 14

The Long Tail of ColdFusion Fail

Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.

cffailLast Tuesday’s story looked at two victims; the jam and jelly maker Smucker’s, and SecurePay, a credit card processor based in Georgia. Most of the companies contacted for this story did not respond to requests for comment. The few business listed that did respond had remarkably similar stories to tell about the ordeal of trying to keep their businesses up and running in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to heed going forward.

The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores.

Elightbulbs.com, a Maple Grove, Minn. based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Elightbulbs.com Vice President Paul McLellan said he first learned of the breach on Nov. 7, 2013 from his company’s processor — Heartland Payment Systems.

elight

McLellan said the unpatched ColdFusion vulnerabilities on the company’s site was certainly a glaring oversight. But he said he’s frustrated that his company was paying a third-party security compliance firm upwards of $6,000 a year to test Elightbulbs.com for vulnerabilities and that the firm also missed the ColdFusion flaws.

“Shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had existed for two years and they never saw it. 

McLellan said the company received a visit from the FBI last year, and the agent said the group responsible for hitting Elightbulbs had compromised much more high-profile targets.

“The FBI investigator said, ‘Hey, don’t beat yourself up. We’ve got credit card processors and government institutions that run ColdFusion who were breached, this is small potatoes’,” McLellan said. “That was a small consolation.”

Continue reading →