The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.
The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?) Visa has been fine-tuning its revisionist-history dance, where it has declared that no PCI compliant organization has ever been breached, forcing the card brand to find a reason to unvalidate any entity that had been certified compliant. A statement from the PCI Council on Monday (July 27) laid the groundwork for taking back the PCI certification that assessor PSC granted them last Halloween. (A PCI certification that is good only until a breach happens? Now that's a scary retail trick-or-treat.)
The statement under the name of Bob Russo, the general manager for the PCI Security Standards Council, said: "Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status." The statement then said that ongoing vigilance is essential in maintaining PCI compliance. Once again, the retailer dreams of a PCI Safe Harbor are just that.
Back to the Network Solutions breach. Network Solutions provides a full E-Commerce suite, designed for very small retailers. Although a small business is generally defined as fewer than 100 employees, Network Solutions PR Director Susan Wade said "Our average merchant tends to have fewer than ten employees." It has the usual shopping cart and design elements, which is customized for thousands of small retailers. Each retailer has to arrange for its own processor, of course, but Network Solutions relays the credit card info from its site to the processor chosen by that merchant.
During an ordinary maintenance sweep in early June, Wade said, code was discovered on certain parts of various servers. Network Solutions CEO Roy Dunbar said in a letter: "We believe that some credit card transactions that took place on your website this past spring were intentionally diverted from certain of our servers to servers outside Network Solutions by an unknown source."
Network Solutions brought in General Dynamics to help diagnose the problem. General Dynamics is getting to be an old hand at such matters, given that it had performed the same sort of post-breach evaluation for TJX and also worked with Hannaford on boosting its post-breach security.
"It took quite a while to crack the code," Wade said, adding that they finally figured out "some of the code" on July 13 and saw that it had been grabbing payment data and sending it outside the network.
The E-Commerce vendor was able to identify very specific numbers of those impacted—4,343 retailers and 573,928 consumers—because "that's the number of sites that were on the portions of the servers that were impacted," Wade said, adding that the impacted transactions were made between March 12, 2009 and June 8, 2009. Curiously, though, the retailer had been told of no attempts—successful or otherwise—to access the stolen credit card data, Wade said. Had a gang of professional data thieves grabbed the data months ago, the group would presumably have tried using the data, given the short life expectancy of stolen credit card numbers.
Network Solutions created a Web site to tell its customers—and their customers—about the breach. But a fascinating discussion among those smaller retailers started in one of their discussion pages. The merchants were upset about the letter that was being sent to the merchants' consumer customers. The letter was being by Trans Union, which Network Solutions hired to contact consumers and to guarantee them one year of free credit monitoring.
The retail objections? Overwhelmingly, they were objecting to their retail brands being mentioned in the letter, which seems odd given that it's the only name those consumers would recognize.
One comment summed up the concerns: "I understand you (are) doing everything by law to have this corrected and settled. I want to see an updated tentative letter that does not disclose any URL or merchant name. This was not the fault of the URL or Merchant. This was solely the fault of a security breach within Network Solution. Your customers chose companies like you to avoid situations like this. We pay thousands of dollars a year between hosting, security, and PCI scanning to ensure our sites are parked on secure servers. I as well as anybody know horrible situations in business arise, but you will not display your merchants information when contacted shoppers. More importantly you will plainly write in simple language so simple people can understand that “This was not at all the fault of the merchant or website but solely the fault of network solution”. You don’t seem to understand the severity of this situation. Not only was information taken off of sites within your company, but it was also sent out for 4 months. There were 2 breaches going on that went unnoticed. And now you have the audacity to put your merchants name in a letter. IT WAS NOT OUR FAULT. I also strongly suggest you start crediting your almost 5000 affected merchants their SSL money and HackerSafe money back, as this is just a license to steal. Credit Card information was compromised by the fault of Network Solution again not at the fault of any of your merchants."
Another poster took exception to the letter's opening line, which read "TransUnion is contacting you at the request of (insert merchant URL) and its credit software support partner, Network Solutions LLC.
"That letter, in that form, is a disaster. Read the first sentence! Does NS expect me to take the fall for their security issues? Why should my company take the blame? And that is exactly who my customer will blame when they get that letter. Who do you think they are going to call? If my websites names are included in that letter and I get bad reviews or press online who will take care of that? Do you really think any of those customers will ever buy from me or refer other customers to me again? Please review the letter from a merchant standpoint and how it will impact our business. We did nothing wrong as far as I know."
Network Solutions replied that it was considering phrasing changes in the letter.
There's a fascinating discussion over at Slashdot where a reader claiming to be a former Network Solutions IT person is saying that Network Solutions routinely retains full credit card numbers and passwords in plain text. With the strong disclaimer that we don't know who the poster really is, whether he/she was actually a Network Solutions employee and—perhaps most critically—when the employment supposedly happened, if the comments are true, it would go far in explaining why so much data was sitting around Network Solutions, waiting to be stolen.
For the record, we asked Wade to comment on the posting and she didn't refute or confirm the comments made. "We don’t have any comment on that. We’re focused on helping our merchants and their customers and on working with the authorities to complete the investigation into this matter. "