SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017Posted by Chris Mark in Data Breach, Uncategorized.
Tags: Breach, compromise, credit card, CVV2, debit card, dta, fraud, hack, payment card, PCI DSS, swimoutlet.com, yogaoutlet.com
This is a post to notify those who may be affected. Yesterday I received the following letter in the mail. It was sent in a nondescript envelope and nearly discarded as ‘junk mail’. Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com. It should be noted that the same infrastructure is used by YogaOutlet.com. In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.
Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV“. For those in the credit card industry the inclusion of CVV is very troubling. Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge. This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction. In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data. It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.
In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website. Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen. A review of their Facebook page has the same conspicuous absence of any notification or information. Their Twitter feed is also absent of any information.
If one looks at the timeline of events, there are some disturbing (to me, at least) items. On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.” On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016. I have been involved in numerous data breach investigations and incidents. “unusual activity” notifications by credit card processors are ‘notifications of fraud’. This is a major red flag that the merchant HAS been breached. The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…” Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.
What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached. They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers. Criminals are not stupid. They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify. By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached. If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.
In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.” This would have been sage advice BEFORE the holiday season. It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?
Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’ information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”. In light of the method and delay of notification I am going to personally take my business elsewhere.
New Role – AT&T Consulting PCI Practice Lead! January 4, 2013Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, Consulting, credit card, PCI DSS, QSA, security
add a comment
I am proud to announce that as of January 3, 2013 I have accepted and started a new position with AT&T Consulting. I am the new PCI Practice Lead directing the PCI DSS auditing and consulting efforts within AT&T. I am excited to work with the most experienced, professional PCI DSS experts and QSAs in the industry. I have had frequent opportunity to interact with the AT&T PCI team over the years and have been consistently impressed with their technical expertise and professionalism. Their industry leading services are testament to the quality of the team and the leadership that preceded me in this role. Please feel free to contact me if you have any PCI DSS needs!
Chris in October 2012 Issue of PenTest Magazine October 30, 2012Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, credit card, mark consulting group, mastercard, PCI, PCI DSS, penetration testing, pentest, security, visa
add a comment
Check out the October 2012 issue of PenTest Magazine for tons of valuable information on the PCI DSS and how Pen Testing can be used to support compliance and validation. I have an article in the magazine titled: “Introduction to PCI DSS for the PenTester” You need to register as a user or subscribe to access the articles.
Tags: compliance, credit card, cybersecurity, data breach, information security, PCI DSS, privacy, transaction world
add a comment
I heard yesterday from the EIC of Transaction World Magazine that they will be publishing one of my articles in their August 2012 issue. Stay tuned! I have written for TW numerous times over the past 7 years or so and Heather has written for them consistently since about 2005. You can read her current article here and see archives of Heather’s articles at this link. If you are not in the payments industry and want to know about the exciting world of credit card issues, check out TransactionWorld. It has great articles covering everything from compliance, to security, interchange, and more. Here are two links to a couple of my previous TW articles..1) Why Regulation Cannot Prevent CyberCrime and 2) Lessons from the Heartland Breach…clearly in this relationship Heather is the Brain and I am Pinky 😉
Global Issues Press Release Confirming Breach March 30, 2012Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: Chris Mark, credit card, cybercrime, cybersecurity, data breach, data security, Global Payments, mastercard, PCI DSS, visa
add a comment
Thank you to a person for pointing this out to me via LinkedIn. GlobalPayments, Inc. has issued a press release confirming it was their system that was compromised. You can read it here. They have disabled cutting and copying so here is a screenshot.