Important Statement From Midwest Supplies

Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum

Help Support Homebrew Talk:

midwestsupplies

Active Member
Joined
Aug 11, 2010
Messages
44
Reaction score
32
Location
St. Louis Park, MN
Recently we learned that despite our best efforts the security of our website was breached by an outside party. For certain types of transactions, this breach may have resulted in the outside party being able to capture and use customer credit card information entered at the time of the transaction. When we identified the breach, we immediately secured our servers, hired a technical team to investigate and help resolve the situation, notified the credit card companies and law enforcement, and obtained legal counsel specializing in computer hacking to help us navigate the very specific legal notification requirements for all 50 states. At this time, all of the notifications have been made, and letters have been sent to all customers that may have been impacted. We regret not providing an update sooner, but we did not want to comment publicly until our investigation was complete and we were able to identify and notify those potentially affected.

Our investigation has now been completed and we are satisfied that the situation has been resolved and that all affected customers have been identified. We have also implemented extensive steps to prevent this kind of incident from happening again. In addition, we sent a letter to each customer who may have been impacted, notifying them of the incident and providing our sincere apology and a credit for $25 worth of homebrewing or winemaking supplies. If you have any questions or concerns please contact our customer service department by phone at 888-449-2739. Rest assured that if you were not contacted you were not among the customers impacted.

We have spent many years working to earn your trust and loyalty. And we recognize an attack like this can undermine that trust. As one brewer to another, you can rest assured that we won’t rest until you’ve brewed your best.

David Kidd

President
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
1. Why did you take 1.5 months to notify ANY customers? I don't care what the circumstances are with your investigation, there is no excuse for 1.5 months delay for such an announcement. Honestly, that kind of delay for something that occurred way back in June should be downright illegal. I understand you need to consult with professionals on this matter, but you have a duty to notify customers in a timely manner. You put their CC's and accounts at risk with that move. Until you provide some sort of insight into WHEN you contacted CC companies, and what their actions were in response, I'm going to assume that doing such a thing had little to no effect, as customers continued to post that their CC's were stolen for quite a long time after the reported incident date (seen here).

2. Despite your efforts to mitigate the situation, your response didn't quite hit the mark. A $25 gift card? You SHOULD be offering fraud protection service (credit monitoring) to each and every one of these customers. That's the standard for compromised cards nowadays, at least from the past 2 experiences I've had. Somehow a $25 GC doesn't seem to instill any lost confidence from what happened.

Additionally, simply telling customers basically "trust us we fixed it" in no way will solve your problems. The lack of transparency about what's transpired, combined with dodgy responses and downright denials over the past months, shows that you're still hiding something (namely that you REALLY messed up and didn't follow compliance regulations, held onto customers' CC #'s without permission, and more), and will only hurt you further.
 

jeffjm

Well-Known Member
Joined
Aug 17, 2010
Messages
434
Reaction score
80
Location
St. Louis
Nick, I have to say I have some sympathy with your points, but I also am sure Midwest has had lawyers telling them not to say anything up until now. Damned if you do, damned if you don't.

The interesting things to me are that the official statement came on the Sunday night of a 3-day weekend when it would get minimal attention, and that a quick visit to the Midwest site didn't show anything about the problem.

And finally, once there's been a breach like this, it's very hard to know for sure that the perpetrator is completely gone. Outsiders have no way of evaluating the risk of recurrence.
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
Jeff, I knew full and well with my opinion that it has legal ramifications, but my point still remains and is just as valid as any legal points they may have.

And yes, it's quite convenient that they posted it now, and haven't bothered being very public with it at all.
 

ChefRex

I once had a thought,
Lifetime Supporter
Joined
Dec 19, 2012
Messages
10,655
Reaction score
4,951
Location
Woodbridge
"The interesting things to me are that the official statement came on the Sunday night of a 3-day weekend when it would get minimal attention"
+1 on this
 

Mongrel

Well-Known Member
Joined
Oct 25, 2010
Messages
1,749
Reaction score
246
Location
Sisters, Oregon
I understand you got compromised, it happens. I'm glad you've taken care of the issues. What I really don't like is how you dismissed everyone here on HBT when they brought the issue to light.
 

masskrug

Well-Known Member
Joined
Sep 16, 2012
Messages
1,447
Reaction score
246
Hey! You get a $25 coupon for your identity theft. That will almost buy you a kit.
 

wsender

Well-Known Member
Joined
May 1, 2011
Messages
50
Reaction score
6
Location
Rochester
All the apologist here who 'understand' don't understand that this wouldn't have happened if you were PCI compliant. Why are you even storing our numbers? Why aren't they processed then discarded? This is really unacceptable.

The inconvenience I suffered when someone racked up over $700 dollars worth of charges about 3 weeks ago is unacceptable too. Thankfully my bank denied all the charges. I'm not alone in this. Look at this post here, seems to be a common thread.

http://www.reddit.com/r/Homebrewing...est_homebrewing_website_hacked_your_personal/

A $25 dollar gift card is paltry and insulting. Credit monitoring and some assurance about what you've done to stop this from happening in the future would have been a much better solution.
 

PastorofMuppets

brewing beer leads to happy life
Joined
Jan 4, 2013
Messages
468
Reaction score
55
Location
Indianapolis
I wont be making any further purchases. I have ran and managed sales sites, merchant accounts, pci compliance, etc for years. There are no excuses.
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
All the apologist here who 'understand' don't understand that this wouldn't have happened if you were PCI compliant. Why are you even storing our numbers? Why aren't they processed then discarded? This is really unacceptable.

The inconvenience I suffered when someone racked up over $700 dollars worth of charges about 3 weeks ago is unacceptable too. Thankfully my bank denied all the charges. I'm not alone in this. Look at this post here, seems to be a common thread.

http://www.reddit.com/r/Homebrewing...est_homebrewing_website_hacked_your_personal/

A $25 dollar gift card is paltry and insulting. Credit monitoring and some assurance about what you've done to stop this from happening in the future would have been a much better solution.
This x100000. I toned down my original response, but there really is absolutely NO excuse whatsoever for what happened. Having your server with CC #'s connected through the web? Absolutely ridiculous. That reddit discussion gets into where PCI compliance people can attest to the fact that what was done was inexcusable.

I will not be shopping with Midwest in the future, and will recommend that all friends go elsewhere (not even NB if possible, since they own Midwest). And assuming I was indeed a victim of this and get a $25 GC --- well, you can put it you-know-where.
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
Source for this nugget of info?
I'm not sure there's a specific direct source for this info, but it's a well-known fact around here. From a quick Google search, here's some basic info from way back when, from an employee:

"As a recently departed Midwest employee, I can tell you that the two companies are essentially merging. No one is buying each other out. The two companies' procurement and fulfillment operations are combining into one warehouse, while leaving each respective companies' existing warehouses in tact. The Midwest and Northern Brewer brands will remain separate. I haven't heard how the management structure will change, but I do know the president of Midwest sold his shares to the CEO and left the company.

This info came straight from upper management's mouth. I have an inherent distrust of most anything upper management says, but this stuff is a Big Enough Deal to not feed employees half-truths. I think you can take this as truth."

Basically they're one and the same. If anyone can offer info to the contrary, please do. This quote I lifted was from a while back. Everything I've heard is that for all intents and purposes, NB owns Midwest, but runs them separately.
 

Shakybones

Well-Known Member
Joined
Apr 13, 2013
Messages
410
Reaction score
74
Location
eastern
I apologize to all for disputing your assertions about MW's connection to your CC fraud. I still believe that it is most prudent to reserve judgement until proof is provided.

As a loyal customer (and defender, until now) of theirs, I am unbelievably disappointed in them for their delay in revealing the breach. $25 to anyone who "may have been impacted" is fine, but those who "have been impacted" deserve a hell of a lot more than that, if the breach was due to negligence on MW's part (which it sounds like it was).

Oh, and if they expected this Labor Day weekend post to go under the radar, they are going to be sorely disappointed.
 

swackattack

Well-Known Member
Joined
Dec 28, 2011
Messages
682
Reaction score
37
Location
Pittsburgh
I'll be returning one of my recent purchases. With a response lag time like this you don't deserve my business
 

jeffjm

Well-Known Member
Joined
Aug 17, 2010
Messages
434
Reaction score
80
Location
St. Louis
From David Kidd's linkedin page:

  • CEO Midwest Supplies December 2010 - February 2013
  • President, Northern Brewer, March 2013 - Present

If the president of Northern Brewer is issuing statements about a credit card problem at Midwest, I'd call that pretty conclusive that the two companies are closely related.
 

The_Professor

Well-Known Member
Joined
Apr 10, 2010
Messages
256
Reaction score
33
Location
Calif, USA
Austin Homebrew had an issue with the company that handled their cards a while back.

I actually had an unauthorized charge on my account that my bank halted, then an email from Austin Homebrew in that same timeframe. I believe Austin Homebrew stopped doing business with that provider and offered a limited time 20-25% discount.

I didn't have an issue with it as nothing progressed to really bad levels. I had to wait a few days for a new card from my bank.
 

BigFloppy

Well-Known Member
Joined
Aug 28, 2013
Messages
885
Reaction score
117
Location
Marietta
geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!
 

dgrums

Active Member
Joined
Sep 11, 2012
Messages
41
Reaction score
8
BigFloppy said:
geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.

If your card has never been stolen, I think you're probably in the minority here!
The difference in your experience and ours is that they only got your card number and expiration date if it happened at a POS machine. We had plenty more information stolen. They got our addresses, phone numbers, cc numbers, expiration dates, and security codes. They've got our home addresses and phone numbers. We'll get a $25 coupon.
 

CadillacAndy

Well-Known Member
Joined
Oct 2, 2011
Messages
977
Reaction score
100
Location
Pittsburgh
geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!
You clearly have not been following the other thread that's been going for almost 2 months.

I think getting "our panties in a wad" about money/credit being stolen is acceptable.
 

mattd2

Well-Known Member
Joined
Sep 23, 2009
Messages
3,819
Reaction score
334
Location
Papamoa
Austin Homebrew had an issue with the company that handled their cards a while back.

I actually had an unauthorized charge on my account that my bank halted, then an email from Austin Homebrew in that same timeframe. I believe Austin Homebrew stopped doing business with that provider and offered a limited time 20-25% discount.

I didn't have an issue with it as nothing progressed to really bad levels. I had to wait a few days for a new card from my bank.
I remeber that thread too and the big difference I saw between AHS and MW was that AHS basically was upfront and said "hey guys i think we got a problem here, we'll keep you updated with what we find" and MW said "nothing to do with us, stop saying that we have a CC fraud issue, nah nothing to see here, etc."
...Stop berating our online suppliers cause someone managed to breach their initial best effort CC security...
I think you are missing everyones point that their "best effort" was a very very very poor effort when compared to industry best practices.
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
The difference in your experience and ours is that they only got your card number and expiration date if it happened at a POS machine. We had plenty more information stolen. They got our addresses, phone numbers, cc numbers, expiration dates, and security codes. They've got our home addresses and phone numbers. We'll get a $25 coupon.
He's brand new here. I wouldn't think twice about what a new user with no knowledge of the actual situation thinks. Typical response from someone who has no association with this situation (read: ISN'T affected) and who doesn't give 2 ****s about identity theft and fraud.

It's OK, he'll learn later down the road when someone takes a credit card out in his name and ruins his credit. No big deal though, right?
 

Shakybones

Well-Known Member
Joined
Apr 13, 2013
Messages
410
Reaction score
74
Location
eastern
Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.
I think it's the "initial best effort" part that's the problem. It appears now that their security wasn't a "best effort".

I defended them until the facts were in. I know how frequent CC fraud occurs. However, if they weren't doing their due diligence to maintain security in the face of the constant and ubiquitous onslaught of hackers working identity theft rings, then they deserve every bit of the criticism they are receiving here.
 

Brulosopher

Well-Known Member
Joined
Jun 1, 2011
Messages
3,008
Reaction score
445
Who was impacted? I spent $30 on July 3 then realized 3 weeks later I had 2 charges on my credit card at the same Illinois furniture store, for the same amount. I haven't heard a thing from MW...

Edit: I've never been to Illinois... and don't buy furniture
 

opus345

Well-Known Member
Lifetime Supporter
Joined
Mar 3, 2012
Messages
708
Reaction score
182
Location
Omaha
This is one of those times when I need a Dislike This Post button for Midwest. $25 to spend at MW? Why would I want to come back?
 

FuzzeWuzze

I Love DIY
Joined
Jun 19, 2012
Messages
3,140
Reaction score
458
Location
Newberg
geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!
You do realize their "best" effort was borderline illegal by not being PCI compliant right?

Their "best" effort was equivalent to writing your credit card number down and sticking it on a table anyone could walk by and see.

This isnt 1999 where cyber crime is new, or even difficult for all that matter. Even very basic encryption and or hashing of the cards would have prevented any of the data from being useful. Storing plain text credit card info in 2013, thats just amateur at best and their web developers should be ashamed of themselves.
 

wsender

Well-Known Member
Joined
May 1, 2011
Messages
50
Reaction score
6
Location
Rochester
I'd really love to hear a reply from MidWest about their practices and how they're going to prevent this from happening again. Having to deal with my bank and not having my card for over a week was a giant pain in the ass.

Until I hear back from MidWest I will never shop there again and recommend people from doing so as well.
 

mrwizard0

Well-Known Member
Joined
May 23, 2010
Messages
457
Reaction score
29
Location
Enid
Brulosopher said:
Who was impacted? I spent $30 on July 3 then realized 3 weeks later I had 2 charges on my credit card at the same Illinois furniture store, for the same amount. I haven't heard a thing from MW...

Edit: I've never been to Illinois... and don't buy furniture
I want to know this too, I luckily had my cc company refuse the random charges that I had but I still had to get a new cc while on vacation which was a pain in the rear
 

disney7

Well-Known Member
Joined
Dec 21, 2011
Messages
400
Reaction score
63
Location
Maryville
As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.
 

wsender

Well-Known Member
Joined
May 1, 2011
Messages
50
Reaction score
6
Location
Rochester
As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.
Sadly, I feel we won't get any. They've already issued us the blood money and posted this sad excuse for an apology on a long weekend to minimize visibility.
 

thatjonguy

Now with 57.93% more awesome!
Joined
Mar 14, 2011
Messages
5,460
Reaction score
1,179
Location
Minnow
I too wait a response, although I was not comprimised (to my knowledge) I want to see how the rest of this goes down.

If anyone doesn't want their credit, you can send it to me for disposal. :drunk:
 
Joined
Jun 2, 2008
Messages
64,957
Reaction score
16,503
I love the first world problems here: "blood money", "inconvenience while on vacation", etc.

There are two types of people who shop on-line: those who have had their info hacked and those who will.

If you're gonna shop online, make sure it is with a company with a good fraud policy.

If you don't want to risk it, just take some gold down to your LHBS, or better yet: grow your own barley and hops.

With that said, I hope midwest learned their lesson by ignoring those who posted here originally in a very respectful manner saying "hey Midwest, a bunch of customers have been hacked; might want to check it out." And responding with "thanks, but it isn't us."
 

The_Professor

Well-Known Member
Joined
Apr 10, 2010
Messages
256
Reaction score
33
Location
Calif, USA
I remeber that thread too and the big difference I saw between AHS and MW was that AHS basically was upfront and said "hey guys i think we got a problem here, we'll keep you updated with what we find" and MW said "nothing to do with us, stop saying that we have a CC fraud issue, nah nothing to see here, etc."


I think you are missing everyones point that their "best effort" was a very very very poor effort when compared to industry best practices.
Ah, I didn't really know the timeline or history to this Midwest issue. It did not effect me.

The AHS one did effect me and you are right, they were quick to notify people about it.

I guess I was really more responding to the dissing the small discount, which is similar in both cases. I guess not everything else is similar.
 

BrewerE

Well-Known Member
Joined
Dec 23, 2012
Messages
235
Reaction score
45
Location
Omaha
I'm anxiously awaiting my notification.

The thing I'm most pissed about is that they were on here claiming that 'no CC info was stored', when right on the payment page, there is a 'check here to store CC info' box and a tab to view stored cards. AND THE STUPID THING DOESN'T EVEN WORK.

I ordered from them this week when they had free shipping (even though my card got whacked in July) and specifically looked for, and UNCHECKED the box. I went to the account>saved cards tab, AND THERE WAS MY CC info....SAVED ANYWAY....sooooo pissed.

This time I used a CC that has never been used for anything online and other limited use, so if it gets whacked, it'll NO DOUBT be from Midwest.

If they don't get this order out in the 'promised' 2-3 days or screw it up (again) it'll be the last time I order from them.
 

nickmv

Well-Known Member
Joined
Mar 1, 2010
Messages
780
Reaction score
70
Location
Memphis
Screw that, chew their asses out for yet again storing CC #'s without customers' permission. That's absolutely ridiculous and goes beyond "beyond unacceptable".
 

unkempt

New Member
Joined
Oct 10, 2012
Messages
4
Reaction score
1
I havent ordered from them in a while but I had fraud on my CC in this time frame. A 25$ gift card should cover all my late payment fines on my electric, cable and phone, plus the fee i had to pay to get a new card in 2-3 days insted of 7-10 days...rigghhtttt
 

Latest posts

Top