Tourists visiting Maine, Play.com shoppers and Game Show Network members were affected when criminals attacked a third-party marketing firm and stole member information.
Three recent data breaches at third-party Web service providers highlight
the importance of organizations making sure customer data outside of the
company is protected.
Unlike the recent RSA breach or the
malware-based attack on the European Commission, cyber-criminals stole
information from tourists visiting Maine
state parks and shoppers buying from Play.com by hitting third-party marketing
companies. And some evidence indicates the recent TripAdvisor breach may also
have been the result of a compromised partner and not a SQL injection attack as
was previously speculated.
It's critical for organizations to identify what data they have that someone
else may want, and who has access to that data, Michael Maloof, CTO
of TriGeo Network Security, told eWEEK.
Tourists who bought passes for a Maine
state park may have had their credit card information stolen after an online
vendor's systems were infected with malware, the Associated Press reported. A
malware attack on Maryland-based InfoSpherix exposed credit cards used to buy
the park passes from March 21 to Dec. 22, 2010, said Jeanne Curran, a spokeswoman for Maine's
Department of Conservation, on March 24. The Maine Bureau of Parks and Lands
learned of the data breach in February.
Credit card numbers and expiration dates were stolen, according to Maine's
Assistant Attorney General Thom Harnett. Names associated with the cards were
kept on another server, which wasn't breached, he said.
The breach was limited to InfoSpherix systems, a subsidiary of San Diego-based
Active Network, which offers Web services such as online registration, payment
processing, donations and transactions. The rest of the state government
operations remained intact, Maine
The scope of the breach is unclear at this time. Notices were sent to 970 Maine
residents who were in the breached system, but residents of other states were
also compromised. The attorney general's office in Maine
has alerted the attorneys general in other states.
Companies aren't always focused on security, as IT teams are more concerned
about having things available and running for their users, Maloof said.
There have been other data breaches at third-party providers recently.
Play.com, an online seller of CDs, DVDs, books and apparel, notified customers
on March 23 that its third-party marketing company's database had been
breached. CEO John Perkins told customers
that the email marketing company is Silverpop, which was attacked
a few months ago.
McDonald's and deviantART notified their customers after the Silverpop
incident in December. American Honda Motor, another Silverpop client, reported
a breach of 4.9 million customer records shortly after, although the company
didn't directly name Silverpop for that event.
The agency claims none of the Play.com email addresses was affected by that
episode, according to Perkins. It is not clear at this time whether email
addresses and names were stolen during that attack, or if attackers got into
Silverpop again more recently.
While email addresses had been stolen, other sensitive information such as
credit card numbers, addresses and passwords remained secure as they were
stored separately in Play.com's internal environment, Perkins said.
Play.com did not reveal how many customers were affected, but warned users
to be on the lookout for spam messages purporting to be from Play.com. Some
users complained on March 20 that they were receiving spam in email accounts
used specifically for Play.com, Perkins said.
Those messages offered users an Adobe Reader upgrade if they registered at
the linked Website and paid for the software, which contained a Trojan,
according to Netcraft, an Internet services company based in Bath,
Users on Game Show Network forums reported receiving similar fake Adobe
Acrobat/Reader spam on March 20. An examination of the email headers revealed
the messages were being sent from GSN's marketing company, ExactTarget.
TripAdvisor has been an ExactTarget client since 2008, according to the company's