midwestsupplies
Active Member
As you know, Midwest Supplies experienced a data breach and as President, I want to explain what happened, what weve changed and what weve learned.
Heres what we know and have reported to law enforcement authorities
On July 19, 2013, Midwest Supplies, as part of an on-going investigation of a possible data breach prompted by a customer and a card association inquiry, discovered a breach of midwestsupplies.com and contained the compromise.
We immediately notified each of the credit card brands so that they were aware of the potential breach and could increase their monitoring for fraudulent activity (this is possibly the reason why cardholders received replacement cards from their card issuers.)
The independent third-party forensics firm we had hired began work to determine the scope of the breach. This investigation took longer than we expected because certain of the log files had been maliciously erased and had to be reconstructed.
As a result we determined among other matters:
Having secured the servers, notified the credit card brands and investigated the scope of the breach, we worked as quickly as we could to determine exactly which customers were at risk and to provide notifications to them.
What we have changed
At the time of the breach, we sincerely believed that our servers were secure and that the third-party testing and verification of that security was sufficient assurance of the same. However, since discovering the breach, we have come to realize that such assurances are insufficient. As a result of our investigation, we have made the following changes among others:
What we have learned
The entirety of our leadership including founders, managers and shareholders have been working tirelessly on this breach with only the best of intentions. Rest assured that we have all read and considered thoughtfully what has been said about us and the breach including the often pointed criticism.
As a result, we have learned that, among other things:
As one of you wrote, when credit card information is stolen, we are all victims; and, we regret that this attack on our security exposed any customer to any inconvenience and apologize compounding the issue by not having provided more transparency on a timely basis.
If you have feedback or if there is anything we can do to address a specific or individual concern including the credit monitoring referred to above, please call us at 888-449-2739 or e-mail [email protected].
David Kidd, President
Heres what we know and have reported to law enforcement authorities
On July 19, 2013, Midwest Supplies, as part of an on-going investigation of a possible data breach prompted by a customer and a card association inquiry, discovered a breach of midwestsupplies.com and contained the compromise.
We immediately notified each of the credit card brands so that they were aware of the potential breach and could increase their monitoring for fraudulent activity (this is possibly the reason why cardholders received replacement cards from their card issuers.)
The independent third-party forensics firm we had hired began work to determine the scope of the breach. This investigation took longer than we expected because certain of the log files had been maliciously erased and had to be reconstructed.
As a result we determined among other matters:
- There was unauthorized access to an administrative account of the midwestsupplies.com website using the credentials of a Midwest Supplies employee but originating from a foreign country.
- That account was used to upload a malicious command shell to the midwestsupplies.com web content server. This file was disguised as a graphics file.
- The command shell was used to insert 2 lines of malicious code into the web servers payment module. The malicious code was designed to intercept a copy of the cardholder data that was being submitted for authorization to Authorize.net, a VISA company (a variant of a man in the middle attack commonly called a double mailer).
- The cardholder data elements at risk include PAN, CVV, Expiration Date, Name, Address, Phone and Email.
Having secured the servers, notified the credit card brands and investigated the scope of the breach, we worked as quickly as we could to determine exactly which customers were at risk and to provide notifications to them.
- Most customers were not at risk. At risk were only those customers who entered credit card information. Customers who had stored their sensitive cardholder data elements prior to the time of the breach or who used PayPal were not at risk.
What we have changed
At the time of the breach, we sincerely believed that our servers were secure and that the third-party testing and verification of that security was sufficient assurance of the same. However, since discovering the breach, we have come to realize that such assurances are insufficient. As a result of our investigation, we have made the following changes among others:
- We have confirmed that all malicious code has been removed from the web servers and have fully audited the web sites source code for any unauthorized changes.
- We have limited even further the access to our administrative functionality of all of our web applications and made universal the requirement to use random but strong passwords generated by password management utilities in cases where we did not do so before.
- We have reconfigured all of our web servers to prevent the execution of code from unauthorized directories.
- We have added intrusion detection and file system monitoring processes and tools to detect unauthorized attempts to modify content on our web servers.
- We hired an independent third-party auditor to confirm that we do not unknowingly store sensitive cardholder data such including PAN, CVV or Expiration Date; as we have said before, all of this information is stored for by Authorize.net, a VISA company, for the convenience of customers.
- We have added to our information technology group a leader with skills and experience consistent with our scale and complexity.
What we have learned
The entirety of our leadership including founders, managers and shareholders have been working tirelessly on this breach with only the best of intentions. Rest assured that we have all read and considered thoughtfully what has been said about us and the breach including the often pointed criticism.
As a result, we have learned that, among other things:
- We must maintain constant vigilance against those nameless people who would do us harm.
- We needed to communicate better by providing additional updates that would not have compromised the on-going investigation of law enforcement into what is a crime.
- If we had provided those additional facts about what we know and what we have changed, we would have reduced speculation.
- We did not appreciate fully that some of you would fear that the theft of sensitive cardholder data would place your identity at risk. If you are concerned about this, we will, of course, arrange for one year of credit monitoring for you at our cost.
As one of you wrote, when credit card information is stolen, we are all victims; and, we regret that this attack on our security exposed any customer to any inconvenience and apologize compounding the issue by not having provided more transparency on a timely basis.
If you have feedback or if there is anything we can do to address a specific or individual concern including the credit monitoring referred to above, please call us at 888-449-2739 or e-mail [email protected].
David Kidd, President