Maine, Play.com, GSN Customers Hit by Third-Party Data Breach
Three recent data breaches at third-party Web service providers highlight the importance of organizations making sure customer data outside of the company is protected.
Unlike the recent RSA breach or the malware-based attack on the European Commission, cyber-criminals stole information from tourists visiting Maine state parks and shoppers buying from Play.com by hitting third-party marketing companies. And some evidence indicates the recent TripAdvisor breach may also have been the result of a compromised partner and not a SQL injection attack as was previously speculated.
It's critical for organizations to identify what data they have that someone else may want, and who has access to that data, Michael Maloof, CTO of TriGeo Network Security, told eWEEK.
Tourists who bought passes for a Maine state park may have had their credit card information stolen after an online vendor's systems were infected with malware, the Associated Press reported. A malware attack on Maryland-based InfoSpherix exposed credit cards used to buy the park passes from March 21 to Dec. 22, 2010, said Jeanne Curran, a spokeswoman for Maine's Department of Conservation, on March 24. The Maine Bureau of Parks and Lands learned of the data breach in February.
Credit card numbers and expiration dates were stolen, according to Maine's Assistant Attorney General Thom Harnett. Names associated with the cards were kept on another server, which wasn't breached, he said.
The breach was limited to InfoSpherix systems, a subsidiary of San Diego-based Active Network, which offers Web services such as online registration, payment processing, donations and transactions. The rest of the state government operations remained intact, Maine officials said.
The scope of the breach is unclear at this time. Notices were sent to 970 Maine residents who were in the breached system, but residents of other states were also compromised. The attorney general's office in Maine has alerted the attorneys general in other states.
Companies aren't always focused on security, as IT teams are more concerned about having things available and running for their users, Maloof said.
There have been other data breaches at third-party providers recently. Play.com, an online seller of CDs, DVDs, books and apparel, notified customers on March 23 that its third-party marketing company's database had been breached. CEO John Perkins told customers via Play.com's Facebook page that the email marketing company is Silverpop, which was attacked a few months ago.
McDonald's and deviantART notified their customers after the Silverpop incident in December. American Honda Motor, another Silverpop client, reported a breach of 4.9 million customer records shortly after, although the company didn't directly name Silverpop for that event.
The agency claims none of the Play.com email addresses was affected by that episode, according to Perkins. It is not clear at this time whether email addresses and names were stolen during that attack, or if attackers got into Silverpop again more recently.
While email addresses had been stolen, other sensitive information such as credit card numbers, addresses and passwords remained secure as they were stored separately in Play.com's internal environment, Perkins said.
Play.com did not reveal how many customers were affected, but warned users to be on the lookout for spam messages purporting to be from Play.com. Some users complained on March 20 that they were receiving spam in email accounts used specifically for Play.com, Perkins said.
Those messages offered users an Adobe Reader upgrade if they registered at the linked Website and paid for the software, which contained a Trojan, according to Netcraft, an Internet services company based in Bath, England.
Users on Game Show Network forums reported receiving similar fake Adobe Acrobat/Reader spam on March 20. An examination of the email headers revealed the messages were being sent from GSN's marketing company, ExactTarget. TripAdvisor has been an ExactTarget client since 2008, according to the company's previous announcements.