Datendiebstahl bei TAD Gear

So... es ist passiert. Manche haben es befürchtet, andere vorhergesehen. Trotz der Bemerkungen von Seiten TAD Gears, dass die Seite sicher sei, wurden Kreditkartendaten und Kundeninformationen gestohlen.

Betroffen sind vor allem Bestellungen, die zwischen 6. August 2009 bis 16. November 2009 getätigt wurden. Anscheinend sind die Behörden schon verständigt und als zusätzliche Sicherheitsmaßnahme muss man bei der Homepage ein neues Passwort sowie einen neuen Benutzernamen beantragen.

Für mehr Informationen poste ich hier den Text, der von TAD Gear veröffenticht wurde.

Zitat

This notice is to inform our customers of a security incident at TAD
Gear. We recently learned that our database was illegally accessed from
an external source, and it appears that some customer data were taken,
which may include customer names, contact information and credit card
data. The possibility of a security breach came to our attention when
certain customers notified us that unauthorized charges had appeared on
their credit cards. Upon learning of the potential breach of security,
TAD Gear immediately initiated an investigation, and took corrective
steps based on the advice of an internet security firm. We have also
contacted law enforcement.

If you purchased merchandise
from TAD Gear on-line between August 6, 2009 and November 16, 2009, and
the credit card used to purchase that merchandise is still valid, in
order to protect yourself from the possibility of identity theft or
misuse of your credit card information, we recommend that you
immediately contact the issuer of that credit card and close your
account. Tell them that your account may have been compromised. If you
want to open a new account, ask your credit card issuer to give you a
PIN or password, as this will help control access to the account.

In addition, we recommend that you place a fraud alert on your
credit files. A fraud alert lets creditors know to contact you before
opening new accounts. Just call any one of the three credit reporting
agencies at a number below. This will let you automatically place fraud
alerts with all of the agencies. You will then receive letters from all
of them, with instructions on how to get a free copy of your credit
report from each.

Experian Equifax TransUnion
888 397 3742
http://www.experian.com
866-640-2273
http://www.equifax.com
877-701-5276
http://www.transunion.com

When you receive your credit reports, look them over carefully.
Look for accounts you did not open. Look for inquiries from creditors
that you did not initiate. And look for personal information, such as
your home address and Social Security number, which is not accurate. If
you see anything you do not understand, call the credit reporting
agency at the telephone number on the report.

If you do find suspicious activity on your credit reports, call
your local police or sheriff’s office and file a police report of
identity theft. Get a copy of the police report. You may need to give
copies of the police report to creditors to clear up your records. Even
if you do not find any signs of fraud on your reports, we recommend
that you check your credit report every three months for the next year.
Just call one of the numbers above to order your reports and keep the
fraud alert in place.

For more information on identity theft, we suggest that you
visit the web site of the California Office of Privacy Protection at
http://www.privacy.ca.gov, or the Federal Trade Commission at
http://www.ftc.gov/bcp/edu/micros
ites/idtheft.
If there is anything TAD Gear can do to assist you, please email us at
action@tadgear.com, a special email address that we have set up to help
answer your questions.

On a going-forward basis, in order to help assure the security of
your information, all users will be required to recreate their
usernames and change passwords upon logging onto our newly redesigned,
TAD Gear website. Please note that the password change process is only
initiated when you come to the TAD Gear website and as a result an
email is sent to you. Do not respond to any other unsolicited emails
regarding password changes from TAD Gear. TAD Gear will not contact you
by email regarding a password change unless you initiate such a change
on the TAD Gear website in accordance with the instructions above.

We are sorry for any inconvenience that this might have caused
you. We take the protection of our customers' personal information very
seriously. TAD Gear is making additional, significant investments in
enhancing the safety and security features on our website so that you
may feel confident using it. While no company can completely prevent
unauthorized access to data, we are committed to ensuring that our data
is protected by the highest levels of security.

If you have any questions or need further information regarding this incident, please do not hesitate to contact us.

Please note that no replies will be available from the TAD Gear Staff
in this venue for legal purposes related to our ongoing investigation
with Federal Law Enforcement Agencies tasked with cyber-crime.

Thank you.

Alles anzeigen

Hier noch ein Statement von Patrick (Chef und Besitzer von TAD):

Zitat

the extent of what we able say right
now will be greatly limited until FBI cyber-crime unit says it okay to
say. they are looking very closely at ANY possible external routes to
this crime.

right now, any possible breach has been ONLY on the the new site and
has been limited to a very small percentage. the only period which was
affected is as noted in our official statement we were allowed to
publicize.

obviously this sucks, and it feels like a sucker punch in the stomach.

our entire site is currently being moved to a completely new server and
new hosting company. additional security measures outside of the very
expensive ones we already had in place are also being put in place on
our new web home. we cannot state what additional measures as to keep
our new additional security, just that, confidential and secure.

the new site and server will be wiped of all data and all new user
logins will be required. of course, our phones lines will be available
for any non-internet orders.

again, i am sorry but we are not at liberty to elaborate on the ongoing
investigation, but be advised that the facts as stated in our sticky.

in cooperation with the FBI, we will not able to address this further on USN.

this will be the last reply on this public venue.

pls address any and all questions to action@tadgear.com

thank you.
_________

Alles anzeigen

Des weiteren hat er noch folgendes gepostet:

Zitat

just want to note, that we are being very proactive about this.

• all customer data was been wiped from site.
• only 0.0025% of ALL our customers may have been affected.
• any affected would only be from online. nothing b4 the dates listed
  in our notice, and certainly nothing from phone orders, walkins, or
  mailed.
• all customer data stored in our database onsite in our physical location was, is and remains 100%.

thank you.

Das nenn ich mal nen schönen Clusterfuck... Ich hoffe, dass niemand hier aus dem Forum direkt betroffen ist. Obwohl ich noch nichts über die neue Homepage bestellt habe, bin ich mal meine Daten durchgegangen. Behaltet eure Abrechnung einfach mal ne zeitlang im Auge.

lowendd out...

Nur mal keine schnellen Urteile. Meines Wissens hatten die Herrschaften alle Sicherheitsvorkehrungen schon getätigt aber mussten noch auf die Lizensen warten, um das https zeugs verwenden zu dürfen.

Ich würde ja gern den genauen Wortlaut der TAD Leute wiedergeben, aber ich hab im USN keinen Zugriff auf die Suchfunktion und finde den Thread so nicht mehr.

Schaut so aus, als ob TAD Gear es endlich geschafft hat auch auf der Homepage eine Warnung/Information zu dem Zwischenfall zu posten. Das hat ja lange gedauert...

Zumindest die User im Lightfighter Forum sind ziemlich angepisst. Da hat TAD wohl den Großteil der User als Kunden verloren. Im USN spielen sich die Leute nur Sicherheitstips zu.

Sooo... der thread im USN, den ich so lange gesucht habe, ist wieder aufgetaucht. Hier der Link für diejenigen mit USN Account:

http://www.usualsuspect.net/forums/showthread.php?t=436506

Für den Rest poste ich hier ein paar Auszüge:

Zitat

Quote: 09-24-2009, 11:50 PM
Originally Posted by Erminio
Hi TAD guys,

I tried yesterday evening to enter an order for two sheaths and noticed
that the form wasn't encrypted (no Certificate Authority stamp, no
https either) - I remember a post about the matter and I was under the
impression it had been addressed...
Thanks!
Erminio

Die Antwort von Patrick:

we're stuck with a paperwork snag to get the official verisign
stamp. we're just waiting for the official approval and put up the logo.

other than that we have lots of other security measures already in place on the backend.

just a matter of time to have the obvious SSL logo's to put on our site. thanks

Alles anzeigen

Zitat

Quote:09-29-2009
Originally Posted by MOTO69JOE
So are the security measures in place?

Patrick:

absolutely

Zitat

Sorry for having to object. I just checked a minute ago and the
protocol on all relevant pages, but especially the form where the
cc-data is entered is standard http, instead of https. Practically
speaking, the data transmitted through that form can be read in clear
text by anyone eavesdropping between the sender and your server
including all hubs inbetween. Not entering your cc-data in an insecure
form online can be regarded the #1 rule for shopping on the web.

However, setting up https does require a SSL-certificate, which can be
generated by anyone in a few minutes. What you are looking for is
"just" the official "signing" of the certificate from Versign/Thawte
etc. which is nice to have (as it spares your customer a browser
warning) but doesn't add any more technical security.

I would suggest to get the self-signed SSL-cert in place for the whole
check-out process _now_ and switch to the new certifcate from Versign
(if you did not submit your own anyway), once you have it. Getting
everything to run on ssl will take some time and the certifcate
exchange will take next to no time, so you have almost no redundant
work but immediate security. If you submitted a key pair you generated
yourself, you have 0 work to do, when Versigin approves it.

find out more about http and https here:

http://www.biztechmagazine.com/article.asp?item_id=277

Alles anzeigen

Ich denke mir mal, dass TAD hier nachlässig war. Zumindest einer hat im USN Forum gestern Eier gehabt und gemeint, dass dies ein "avoidable problem" gewesen sei, also ein Problem, das verhindert werden hätte können.

Naja wie heißt es so schön: Learning by doing.

JA, es geht hier anscheinend nur um die neue Seite und um Bestellungen zwischen 6. August und 16. November diesen Jahres.