SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017Posted by Chris Mark in Data Breach, Uncategorized.
Tags: Breach, compromise, credit card, CVV2, debit card, dta, fraud, hack, payment card, PCI DSS, swimoutlet.com, yogaoutlet.com
This is a post to notify those who may be affected. Yesterday I received the following letter in the mail. It was sent in a nondescript envelope and nearly discarded as ‘junk mail’. Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com. It should be noted that the same infrastructure is used by YogaOutlet.com. In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.
Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV“. For those in the credit card industry the inclusion of CVV is very troubling. Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge. This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction. In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data. It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.
In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website. Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen. A review of their Facebook page has the same conspicuous absence of any notification or information. Their Twitter feed is also absent of any information.
If one looks at the timeline of events, there are some disturbing (to me, at least) items. On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.” On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016. I have been involved in numerous data breach investigations and incidents. “unusual activity” notifications by credit card processors are ‘notifications of fraud’. This is a major red flag that the merchant HAS been breached. The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…” Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.
What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached. They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers. Criminals are not stupid. They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify. By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached. If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.
In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.” This would have been sage advice BEFORE the holiday season. It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?
Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’ information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”. In light of the method and delay of notification I am going to personally take my business elsewhere.
Tags: Breach, Chinese, compromise, cyber, Data, Elvis, FISMA, hack, Menendez, OPM, SF86, Target
add a comment
Let me start with Elvis’ “Clean up your own Backyard”
“Back porch preacher preaching at me
Acting like he wrote the golden rules
Shaking his fist and speeching at me
Shouting from his soap box like a fool
Come Sunday morning he’s lying in bed
With his eye all red, with the wine in his head
Wishing he was dead when he oughta be
Heading for Sunday school
Clean up your own backyard
Oh don’t you hand me none of your lines
Clean up your own backyard
You tend to your business, I’ll tend to mine”
Today I received a letter from the United States Office of Personnel Management or OPM informing me that my personal data had been stolen in a data breach. As a quick reminder the OPM was the victim of a major data breach in which over 22.4 million current and former federal workers and military members’ personal information was stolen by the Chinese Government although the Obama administration did not formally accuse Beijing.
The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen? According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more! This information is much more personal and sensitive than just a social security administration.
I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability. This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed. According to OPM spokesperson Samuel Shumach: (more…)
Tags: Breach, chip, compromise, EMV, hack, information, mobile, P2PE, PIN, risk, security
add a comment
I have been invited to co-present on Mobile Retail Security at the 17th Annual AT&T Cyber Security Conference. The conference is October 5th and 6th in Manhattan and will feature some amazing speakers including AT&T’s own CSO Dr. Ed Amoroso, Palo Alto’s CSO Rick Howard and “Dr. Chaos” Aamir Lakani to name but a few. If you are going to be in NYC on Oct 5th and/or 6th and want to attend…registration is FREE!...Check it out!!
Chris Mark speaking at COMTEC 2014 by TouchNet August 27, 2014Posted by Chris Mark in Uncategorized.
Tags: AT&T, Breach, cardholder, Chris Mark, compromise, COMTEC, Data, data security, education, higher, PCI, TouchNet
add a comment
Chris Mark will be presenting at the 2014 COMTEC TouchNet Client Conference on PCI DSS and data security within the payment card industry. The title of the presentation will be Hitting the PCI Bullseye. COMTEC is the premier conference for Higher Education organizations. I was invited to speak in 2012 but found myself delayed returning to teh US as I was in the Gulf of Aden providing maritime security. Below is a description from the TouchNet website.
“Join us for the COMTEC pre-conference PCI Workshop: Hit the Bullseye on November 10th. This power-packed day of PCI and security training is vital for business, security, compliance, audit, and IT professionals who want to stay on target with changes in payment security rules in the coming year. You’ll get real-world advice on compliance and best practices from industry experts and campus leaders who are dedicated to information security.”
Tags: AT&T, Chris Mark, compliance, compromise, data breach, DSS, hack, PCI, risk, security
I was privileged to be able to speak at an AT&T BPO event in 2013. In Feb 2014 AT&T Marketing published the videos. I found one but was unaware they had published all 3. I hope you enjoy. (remember…the camera adds 10 lbs! 😉