Network Solutions Data Breach Hits 574,000 Consumers
Written by Evan SchumanJuly 27th, 2009
An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses. The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?)
The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
6 Comments | Read Network Solutions Data Breach Hits 574,000 Consumers
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
July 29th, 2009 at 3:31 pm
Compliant but not secure – it is a chant that security vendors have been singing for some time and getting accused of just trying to sell their wares. A breach of this enormity while “compliant” should send a real message to those who are still looking at the cost/benefit analysis and betting that they won’t get breached. One telling quote in your piece is “During an ordinary maintenance sweep in early June.” Do you leave your house and only lock the door once every three months. To protect your network and your data you need not only strong encryption but also 24×7 monitoring of both your wired and your wireless network(s).
July 30th, 2009 at 2:54 pm
The quote about a merchant being considered compliant until there is a breach (and then having that compliance revoked) is outrageous. First Hannaford, now Network Solutions, who is next. What is the point of gaining compliance?
To me the scary part of this is that since PCI-DSS cannot seem to “manage” the issue, states are taking matters in their own hands and in most cases taking horrible approaches (it is almost impossible for a small retailer to be compliant with the new Massachussets data privacy law). It’s only a matter of time before Congress tries to stave off the state laws with some expansion of FACTA or something new all together. I am not looking forward to that day.
August 4th, 2009 at 5:25 pm
Once again the industry is doing its best to put all the blame on the path of least resistance – the merchant.
August 4th, 2009 at 5:26 pm
The scariest part of it all is that no matter what they do the data is still there in some format. The goal is to somehow remove all the data. If thieves can’t find a good pond to fish in with lots of fish (all the credit card data); they have to go somewhere else.
August 6th, 2009 at 10:05 am
A more cautionary note would be… OK. Network Solutions got hacked over an 88 day period. Was this exclusive to them? Probably not. What about the small retailers hosting at GoDaddy, Web.com, HostGator, etc. These same malicious activities are going on elsewhere as we speak. I hope someone is checking them out. So what’s the solution? Change the old approach. Merchants need to eliminate capturing, storing and tranmitting payment data. Period. Investigate alternative solutions or services like hosted payment page technologies from a level 1 service provider. If you can’t lock down the sensitive data, get rid of it. There are other ways to securely serve your customers.
August 28th, 2009 at 11:13 am
The consumers are the ones getting screwed. Our credit card numbers have been stolen and the merchants bitch and moan about their names being associated with the theft?!? I want to know which merchants were affected so I can figure out which of my cards was affected and cancel it. Forget about free credit monitoring, which is just a scam to sign me up for a “free trial period” and then slam me for monthly charges, and requires that I provide personal information (including SSN) in electronic, duplicable form to yet another faceless, anonymouse corporate behemoth who doesn’t give a rat’s a$$ about security. But god forbid I be given any useful information at all about my own f-ing financial transactions.