Additional information from Midwest Supplies

[midwestsupplies]

As you know, Midwest Supplies experienced a data breach and as President, I want to explain what happened, what we’ve changed and what we’ve learned.

Here’s what we know and have reported to law enforcement authorities

On July 19, 2013, Midwest Supplies, as part of an on-going investigation of a possible data breach prompted by a customer and a card association inquiry, discovered a breach of midwestsupplies.com and contained the compromise.

We immediately notified each of the credit card brands so that they were aware of the potential breach and could increase their monitoring for fraudulent activity (this is possibly the reason why cardholders received replacement cards from their card issuers.)

The independent third-party forensics firm we had hired began work to determine the scope of the breach. This investigation took longer than we expected because certain of the log files had been maliciously erased and had to be reconstructed.

As a result we determined among other matters:

• There was unauthorized access to an administrative account of the midwestsupplies.com website using the credentials of a Midwest Supplies employee but originating from a foreign country.
  
• That account was used to upload a malicious command shell to the midwestsupplies.com web content server. This file was disguised as a graphics file.
  
• The command shell was used to insert 2 lines of malicious code into the web server’s payment module. The malicious code was designed to intercept a copy of the cardholder data that was being submitted for authorization to Authorize.net, a VISA company (a variant of a “man in the middle” attack commonly called a “double mailer”).
  
• The cardholder data elements at risk include PAN, CVV, Expiration Date, Name, Address, Phone and Email.

Having secured the servers, notified the credit card brands and investigated the scope of the breach, we worked as quickly as we could to determine exactly which customers were at risk and to provide notifications to them.

• Most customers were not at risk. At risk were only those customers who entered credit card information. Customers who had stored their sensitive cardholder data elements prior to the time of the breach or who used PayPal were not at risk.

What we have changed

At the time of the breach, we sincerely believed that our servers were secure and that the third-party testing and verification of that security was sufficient assurance of the same. However, since discovering the breach, we have come to realize that such assurances are insufficient. As a result of our investigation, we have made the following changes among others:

• We have confirmed that all malicious code has been removed from the web servers and have fully audited the web site’s source code for any unauthorized changes.
  
• We have limited even further the access to our administrative functionality of all of our web applications and made universal the requirement to use random but strong passwords generated by password management utilities in cases where we did not do so before.
  
• We have reconfigured all of our web servers to prevent the execution of code from unauthorized directories.
  
• We have added intrusion detection and file system monitoring processes and tools to detect unauthorized attempts to modify content on our web servers.
  
• We hired an independent third-party auditor to confirm that we do not unknowingly store sensitive cardholder data such including PAN, CVV or Expiration Date; as we have said before, all of this information is stored for by Authorize.net, a VISA company, for the convenience of customers.
  
• We have added to our information technology group a leader with skills and experience consistent with our scale and complexity.
  

What we have learned

The entirety of our leadership including founders, managers and shareholders have been working tirelessly on this breach with only the best of intentions. Rest assured that we have all read and considered thoughtfully what has been said about us and the breach including the often pointed criticism.

As a result, we have learned that, among other things:

• We must maintain constant vigilance against those nameless people who would do us harm.
  
• We needed to communicate better by providing additional updates that would not have compromised the on-going investigation of law enforcement into what is a crime.
  
• If we had provided those additional facts about what we know and what we have changed, we would have reduced speculation.
  
• We did not appreciate fully that some of you would fear that the theft of sensitive cardholder data would place your identity at risk. If you are concerned about this, we will, of course, arrange for one year of credit monitoring for you at our cost.
  

As one of you wrote, when credit card information is stolen, we are all victims; and, we regret that this attack on our security exposed any customer to any inconvenience and apologize compounding the issue by not having provided more transparency on a timely basis.

If you have feedback or if there is anything we can do to address a specific or individual concern including the credit monitoring referred to above, please call us at 888-449-2739 or e-mail [email protected].

David Kidd, President

 

[negativereaction]

The 'man in the middle' attack is amazingly easy. As a long time web developer of ecommerce sites, I've had two sites hacked in this way. Once you have access to the site's code, all the PCI compliance in the world won't protect you. Stuff like this happens, even though it shouldn't. Good on you for (finally?) providing a detailed summary of what occurred. Better communication is always preferred over minimal communication.

 

[thatjonguy]

Thanks for the release of additional info!

 

[the_trout]

Thank you.

 

[Flatspin]

It's fantastic when a company reaches out and communicates directly with their customers. Especially when it is something serious like this. Thanks Midwest!

 

[thatjonguy]

Tack it to the top. After all the bashing before all the info that went on; Midwest's voice needs to be heard.

Apparently all of ours were.

 

[nickmv]

This is a nice change from what we heard previously, which was nothing at all.

While I probably won't be shopping with MW any time soon (not even necessarily because of the breach), I do appreciate the level of detail provided here, as it helps reassure customers that you all are in fact listening to what we say and giving some feedback and additional info (though a bit slower than we expected).

 

[ProfSudz]

Thanks for the update. Hopefully most of us aren't playing the blame the victim game.

 

[Homercidal]

In my opinion, the facts of the breach should have been communicated from the very start. There is the chance that doing so would cost the company some sales, but it's seems apparent that not saying anything will also cost some customers. I'd rather shop at a place that is up front and honest, even when things such as this happen. Security breaches happen. I think most people realize that.

 

[Kolsch_Meister]

Thank you for sharing the details with us.

 

[Brulosopher]

Thanks for the update. I'm in the minority in that I'm not terribly afraid of stuff like this. I already spent the $25 certificate on a Dark Star for a buddy of mine. Cheers!!

 

[Shakybones]

Thank you for providing this information. Promptness is always appreciated, but thoroughness is also virtuous. I will continue to support you with my purchases.

 

[homebrewdad]

Thanks for explaining the issue. My fear was that you were storing data locally, which is really unforgivable.

It does sound like you have some XSS holes to investigate on your site, or at the very least, employee logins should be validated against an acceptable IP range.

Good luck.

 

[opus345]

First, Thank you for the information and the steps you have taken to enhance the security of the MW/NB e-Commerce sites.

What we have changed

We have limited even further the access to our administrative functionality of all of our web applications and made universal the requirement to use random but strong passwords generated by password management utilities in cases where we did not do so before.

Second, I hope this means that the administrative functionality can no longer be accessed from the public network.

 

[Hawkfish]

Thank you for the update.

 

[BigdogMark]

In my opinion, the facts of the breach should have been communicated from the very start. There is the chance that doing so would cost the company some sales, but it's seems apparent that not saying anything will also cost some customers. I'd rather shop at a place that is up front and honest, even when things such as this happen. Security breaches happen. I think most people realize that.

Facts can't be communicated if they are unknown, unless of course this is a network news channel or three where they make them up as they go along. The "fact" of the breach was made public. After that it takes time to figure out the facts of what happened. Now the rest of the facts are out there. A few still concern me, but for the most part this went down as I expected, and have personally dealt with myself at numerous web projects. There are always new ways found to get access to sites. The trick is being able to verify the integrity of your site contents on a regular basis, like I discussed in another epic thread on this topic. I was ignored then, and likely will be again, but my ego isn't invested here so that is OK. In truth, I am impressed they learned as much as they did about the breach and how it occurred. Most of the time folks just clean up the mess, finally patch servers and secure extraneous directories from execution, and move on. Very few clients have been interested in the mechanics of the breach.

 

[kombat]

It does sound like you have some XSS holes to investigate on your site

What makes you say that?

 

[Homercidal]

Facts can't be communicated if they are unknown, unless of course this is a network news channel or three where they make them up as they go along. The "fact" of the breach was made public. After that it takes time to figure out the facts of what happened. Now the rest of the facts are out there. A few still concern me, but for the most part this went down as I expected, and have personally dealt with myself at numerous web projects. There are always new ways found to get access to sites. The trick is being able to verify the integrity of your site contents on a regular basis, like I discussed in another epic thread on this topic. I was ignored then, and likely will be again, but my ego isn't invested here so that is OK. In truth, I am impressed they learned as much as they did about the breach and how it occurred. Most of the time folks just clean up the mess, finally patch servers and secure extraneous directories from execution, and move on. Very few clients have been interested in the mechanics of the breach.

The first post in the thread alerting people to the possibility of a problem started on July 6. Midwest reports the start of an investigation, which up to that point had revealed nothing, on the 9th, based on the reports of CC problems on this site. So far so good.

On Sept 1st, MW admits there was a problem on July 19th. 44 days later?

Then on Sept 5th, they give details.

So for 44 days they knew there was a breach and decided to not tell the very people who alerted them of a possible problem. Maybe this is what you would consider better than average for companies who have to deal with this, but from a homebrewer, it feels like they first tried to limit the exposure and loss of sales from it, rather than keeping the information channel open.

I don't think I have a large ego, thank you. At least I try not to. It's hard sometimes. But in any case considering how many other online sources there are for homebrewing supplies, I don't feel I am missing out by not shopping there.

 

[nickmv]

The first post in the thread alerting people to the possibility of a problem started on July 6. Midwest reports the start of an investigation, which up to that point had revealed nothing, on the 9th, based on the reports of CC problems on this site. So far so good.

On Sept 1st, MW admits there was a problem on July 19th. 44 days later?

Then on Sept 5th, they give details.

So for 44 days they knew there was a breach and decided to not tell the very people who alerted them of a possible problem. Maybe this is what you would consider better than average for companies who have to deal with this, but from a homebrewer, it feels like they first tried to limit the exposure and loss of sales from it, rather than keeping the information channel open.

I don't think I have a large ego, thank you. At least I try not to. It's hard sometimes. But in any case considering how many other online sources there are for homebrewing supplies, I don't feel I am missing out by not shopping there.

+1. I don't think he actually bothered to check out the timeline of events before that comment. You could tell that from his very first sentence.

 

[mux]

They lost a lot of customers because of their poor customer service- silence killed your company!

 

[bob1852]

Placed my order with the $25 discount. Thanks!

 

[tdogg]

*delete

 

[jordanmills]

We have limited even further the access to our administrative functionality of all of our web applications and made universal the requirement to use random but strong passwords generated by password management utilities in cases where we did not do so before.

Wow, this is an incredibly bad idea. I hope you talk with some real tech people before you make more big mistakes.

 

[grikka]

I just had to post here.

I was hit with this breach biiiiig time ($1500+ put onto my card over 10+ order) and I am just finding out about this now. I just got my letter in the mail yesterday.

I can't wait to have a call with them about this :/

 

[nickmv]

I just had to post here.

I was hit with this breach biiiiig time ($1500+ put onto my card over 10+ order) and I am just finding out about this now. I just got my letter in the mail yesterday.

I can't wait to have a call with them about this :/

And you paid for that $1500+? If so, and it lasted over 10 fraudulent orders, then you have no one to blame but yourself. That's irresponsible money management and awareness, at best.

 

[grikka]

And you paid for that $1500+? If so, and it lasted over 10 fraudulent orders, then you have no one to blame but yourself. That's irresponsible money management and awareness, at best.

You are quite assuming. This happened late on a Sunday night into Monday morning. Good thing I did check in the morning of Monday.

I'm clearly to blame for the data breach, that gained a person access, to what seems to be, stored plaintext credit information.

 

[nickmv]

You are quite assuming. This happened late on a Sunday night into Monday morning. Good thing I did check in the morning of Monday.

I'm clearly to blame for the data breach, that gained a person access, to what seems to be, stored plaintext credit information.

Assumption? No, more like direct inference based off your exact wording:

I was hit with this breach biiiiig time ($1500+ put onto my card over 10+ order) and I am just finding out about this now. I just got my letter in the mail yesterday.

Based off that statement, one can only infer that you had a series of fraudulent charges quite a while back, and you JUST found out about them NOW.

I'm not trying to get onto you, but you should have worded it as: "I was hit with this breach biiiig time back [whenever it happened], and just now got my letter in the mail that shows Midwest was the culprit."

Again, what you said implies that you just now found out that you had fraudulent charges on your account.

Regardless, no sweat (I certainly wasn't trying to start a war), and glad to see you DIDN'T pay the price.

 

[nickmv]

I'm clearly to blame for the data breach, that gained a person access, to what seems to be, stored plaintext credit information.

According to Midwest, this was not the case, and they were a victim of a man-in-the-middle attack. However, nobody but them and the hackers will ever truly know.

 

[grikka]

Assumption? No, more like direct inference based off your exact wording:



Based off that statement, one can only infer that you had a series of fraudulent charges quite a while back, and you JUST found out about them NOW.

I'm not trying to get onto you, but you should have worded it as: "I was hit with this breach biiiig time back [whenever it happened], and just now got my letter in the mail that shows Midwest was the culprit."

Again, what you said implies that you just now found out that you had fraudulent charges on your account.

Regardless, no sweat, and glad to see you DIDN'T pay the price.

That's fine other then action was taken that Monday morning.. Taking time off work to deal with this persons actions in trying to buy some goods, in hopes what whatever was purchased whilst I was asleep, got what was wanted.

In regards to time frame of when I found out that it was Midwest supplies was when I got the letter said above.