Tuesday, July 28, 2009

Hacked Company: Breach exposes nearly 6,00,000

Silicon India
Bangalore: Hosting company and domain registrar Network Solutions has disclosed the data security breach of nearly 6,00,000 credit card holders by malware on a server. The company has notified 4,343 of its nearly 10,000 e-commerce merchant customers about the breach, said Roy Dunbar, Chairman and CEO of Network Solutions.
As reported by CNET News, Network Solutions is investigating this breach that may have led to the theft of credit card data of 5,73,928 people, who made purchases on Web sites hosted by the company. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.

Network Solutions informed the merchant customers in an e-mail that the credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside. "Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance," Susan said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added. According to Susan, it is unknown how the malicious code got onto the system and where it came from.

The hackers left behind malicious code, which allowed them to intercept personal and financial information for people who made purchases at the stores hosted on those servers, said Susan. "So we have notified law enforcement and began the process of notifying our customers. At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," she added.

According to the Network Solutions, "Assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion. In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve vulnerability in the way we store data in our systems."

But in a prepared statement,Bob Russo, General Manager of the PCI Security Standards Council urged the company to be more cautious about its statements regarding PCI compliance until an investigation is completed. "Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status," Russo said.

However, with this breach of Network Solutions' servers, an unanswered question revolves in the consumers' mind asking, "Do you think it is safe to make transaction on the Internet?"

0 comments: