Important Statement From Midwest Supplies

[midwestsupplies]

Recently we learned that despite our best efforts the security of our website was breached by an outside party. For certain types of transactions, this breach may have resulted in the outside party being able to capture and use customer credit card information entered at the time of the transaction. When we identified the breach, we immediately secured our servers, hired a technical team to investigate and help resolve the situation, notified the credit card companies and law enforcement, and obtained legal counsel specializing in computer hacking to help us navigate the very specific legal notification requirements for all 50 states. At this time, all of the notifications have been made, and letters have been sent to all customers that may have been impacted. We regret not providing an update sooner, but we did not want to comment publicly until our investigation was complete and we were able to identify and notify those potentially affected.

Our investigation has now been completed and we are satisfied that the situation has been resolved and that all affected customers have been identified. We have also implemented extensive steps to prevent this kind of incident from happening again. In addition, we sent a letter to each customer who may have been impacted, notifying them of the incident and providing our sincere apology and a credit for $25 worth of homebrewing or winemaking supplies. If you have any questions or concerns please contact our customer service department by phone at 888-449-2739. Rest assured that if you were not contacted you were not among the customers impacted.

We have spent many years working to earn your trust and loyalty. And we recognize an attack like this can undermine that trust. As one brewer to another, you can rest assured that we won’t rest until you’ve brewed your best.

David Kidd

President

 

[nickmv]

1. Why did you take 1.5 months to notify ANY customers? I don't care what the circumstances are with your investigation, there is no excuse for 1.5 months delay for such an announcement. Honestly, that kind of delay for something that occurred way back in June should be downright illegal. I understand you need to consult with professionals on this matter, but you have a duty to notify customers in a timely manner. You put their CC's and accounts at risk with that move. Until you provide some sort of insight into WHEN you contacted CC companies, and what their actions were in response, I'm going to assume that doing such a thing had little to no effect, as customers continued to post that their CC's were stolen for quite a long time after the reported incident date (seen here).

2. Despite your efforts to mitigate the situation, your response didn't quite hit the mark. A $25 gift card? You SHOULD be offering fraud protection service (credit monitoring) to each and every one of these customers. That's the standard for compromised cards nowadays, at least from the past 2 experiences I've had. Somehow a $25 GC doesn't seem to instill any lost confidence from what happened.

Additionally, simply telling customers basically "trust us we fixed it" in no way will solve your problems. The lack of transparency about what's transpired, combined with dodgy responses and downright denials over the past months, shows that you're still hiding something (namely that you REALLY messed up and didn't follow compliance regulations, held onto customers' CC #'s without permission, and more), and will only hurt you further.

 

[jeffjm]

Nick, I have to say I have some sympathy with your points, but I also am sure Midwest has had lawyers telling them not to say anything up until now. Damned if you do, damned if you don't.

The interesting things to me are that the official statement came on the Sunday night of a 3-day weekend when it would get minimal attention, and that a quick visit to the Midwest site didn't show anything about the problem.

And finally, once there's been a breach like this, it's very hard to know for sure that the perpetrator is completely gone. Outsiders have no way of evaluating the risk of recurrence.

 

[nickmv]

Jeff, I knew full and well with my opinion that it has legal ramifications, but my point still remains and is just as valid as any legal points they may have.

And yes, it's quite convenient that they posted it now, and haven't bothered being very public with it at all.

 

[ChefRex]

"The interesting things to me are that the official statement came on the Sunday night of a 3-day weekend when it would get minimal attention"
+1 on this

 

[Mongrel]

I understand you got compromised, it happens. I'm glad you've taken care of the issues. What I really don't like is how you dismissed everyone here on HBT when they brought the issue to light.

 

[masskrug]

Hey! You get a $25 coupon for your identity theft. That will almost buy you a kit.

 

[wsender]

All the apologist here who 'understand' don't understand that this wouldn't have happened if you were PCI compliant. Why are you even storing our numbers? Why aren't they processed then discarded? This is really unacceptable.

The inconvenience I suffered when someone racked up over $700 dollars worth of charges about 3 weeks ago is unacceptable too. Thankfully my bank denied all the charges. I'm not alone in this. Look at this post here, seems to be a common thread.

http://www.reddit.com/r/Homebrewing...est_homebrewing_website_hacked_your_personal/

A $25 dollar gift card is paltry and insulting. Credit monitoring and some assurance about what you've done to stop this from happening in the future would have been a much better solution.

 

[PastorofMuppets]

I wont be making any further purchases. I have ran and managed sales sites, merchant accounts, pci compliance, etc for years. There are no excuses.

 

[nickmv]

All the apologist here who 'understand' don't understand that this wouldn't have happened if you were PCI compliant. Why are you even storing our numbers? Why aren't they processed then discarded? This is really unacceptable.

The inconvenience I suffered when someone racked up over $700 dollars worth of charges about 3 weeks ago is unacceptable too. Thankfully my bank denied all the charges. I'm not alone in this. Look at this post here, seems to be a common thread.

http://www.reddit.com/r/Homebrewing...est_homebrewing_website_hacked_your_personal/

A $25 dollar gift card is paltry and insulting. Credit monitoring and some assurance about what you've done to stop this from happening in the future would have been a much better solution.

This x100000. I toned down my original response, but there really is absolutely NO excuse whatsoever for what happened. Having your server with CC #'s connected through the web? Absolutely ridiculous. That reddit discussion gets into where PCI compliance people can attest to the fact that what was done was inexcusable.

I will not be shopping with Midwest in the future, and will recommend that all friends go elsewhere (not even NB if possible, since they own Midwest). And assuming I was indeed a victim of this and get a $25 GC --- well, you can put it you-know-where.

 

[whoaru99]

Virtual CC account numbers for the win.

 

[thatjonguy]

...not even NB if possible, since they own Midwest).

Source for this nugget of info?

 

[nickmv]

Source for this nugget of info?

I'm not sure there's a specific direct source for this info, but it's a well-known fact around here. From a quick Google search, here's some basic info from way back when, from an employee:

"As a recently departed Midwest employee, I can tell you that the two companies are essentially merging. No one is buying each other out. The two companies' procurement and fulfillment operations are combining into one warehouse, while leaving each respective companies' existing warehouses in tact. The Midwest and Northern Brewer brands will remain separate. I haven't heard how the management structure will change, but I do know the president of Midwest sold his shares to the CEO and left the company.

This info came straight from upper management's mouth. I have an inherent distrust of most anything upper management says, but this stuff is a Big Enough Deal to not feed employees half-truths. I think you can take this as truth."

Basically they're one and the same. If anyone can offer info to the contrary, please do. This quote I lifted was from a while back. Everything I've heard is that for all intents and purposes, NB owns Midwest, but runs them separately.

 

[Yaksha808]

This just crazy... 25 bucks for having your cc info stolen... great business model

 

[Shakybones]

I apologize to all for disputing your assertions about MW's connection to your CC fraud. I still believe that it is most prudent to reserve judgement until proof is provided.

As a loyal customer (and defender, until now) of theirs, I am unbelievably disappointed in them for their delay in revealing the breach. $25 to anyone who "may have been impacted" is fine, but those who "have been impacted" deserve a hell of a lot more than that, if the breach was due to negligence on MW's part (which it sounds like it was).

Oh, and if they expected this Labor Day weekend post to go under the radar, they are going to be sorely disappointed.

 

[swackattack]

I'll be returning one of my recent purchases. With a response lag time like this you don't deserve my business

 

[jeffjm]

From David Kidd's linkedin page:

• CEO Midwest Supplies December 2010 - February 2013
• President, Northern Brewer, March 2013 - Present

If the president of Northern Brewer is issuing statements about a credit card problem at Midwest, I'd call that pretty conclusive that the two companies are closely related.

 

[The_Professor]

Austin Homebrew had an issue with the company that handled their cards a while back.

I actually had an unauthorized charge on my account that my bank halted, then an email from Austin Homebrew in that same timeframe. I believe Austin Homebrew stopped doing business with that provider and offered a limited time 20-25% discount.

I didn't have an issue with it as nothing progressed to really bad levels. I had to wait a few days for a new card from my bank.

 

[BigFloppy]

geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!

 

[dgrums]

geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.

If your card has never been stolen, I think you're probably in the minority here!

The difference in your experience and ours is that they only got your card number and expiration date if it happened at a POS machine. We had plenty more information stolen. They got our addresses, phone numbers, cc numbers, expiration dates, and security codes. They've got our home addresses and phone numbers. We'll get a $25 coupon.

 

[CadillacAndy]

geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!

You clearly have not been following the other thread that's been going for almost 2 months.

I think getting "our panties in a wad" about money/credit being stolen is acceptable.

 

[Braufessor]

Yeah - gotta agree - this is pretty crappy.

 

[mattd2]

Austin Homebrew had an issue with the company that handled their cards a while back.

I actually had an unauthorized charge on my account that my bank halted, then an email from Austin Homebrew in that same timeframe. I believe Austin Homebrew stopped doing business with that provider and offered a limited time 20-25% discount.

I didn't have an issue with it as nothing progressed to really bad levels. I had to wait a few days for a new card from my bank.

I remeber that thread too and the big difference I saw between AHS and MW was that AHS basically was upfront and said "hey guys i think we got a problem here, we'll keep you updated with what we find" and MW said "nothing to do with us, stop saying that we have a CC fraud issue, nah nothing to see here, etc."

...Stop berating our online suppliers cause someone managed to breach their initial best effort CC security...

I think you are missing everyones point that their "best effort" was a very very very poor effort when compared to industry best practices.

 

[nickmv]

The difference in your experience and ours is that they only got your card number and expiration date if it happened at a POS machine. We had plenty more information stolen. They got our addresses, phone numbers, cc numbers, expiration dates, and security codes. They've got our home addresses and phone numbers. We'll get a $25 coupon.

He's brand new here. I wouldn't think twice about what a new user with no knowledge of the actual situation thinks. Typical response from someone who has no association with this situation (read: ISN'T affected) and who doesn't give 2 ****s about identity theft and fraud.

It's OK, he'll learn later down the road when someone takes a credit card out in his name and ruins his credit. No big deal though, right?

 

[Shakybones]

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.

I think it's the "initial best effort" part that's the problem. It appears now that their security wasn't a "best effort".

I defended them until the facts were in. I know how frequent CC fraud occurs. However, if they weren't doing their due diligence to maintain security in the face of the constant and ubiquitous onslaught of hackers working identity theft rings, then they deserve every bit of the criticism they are receiving here.

 

[Brulosopher]

Who was impacted? I spent $30 on July 3 then realized 3 weeks later I had 2 charges on my credit card at the same Illinois furniture store, for the same amount. I haven't heard a thing from MW...

Edit: I've never been to Illinois... and don't buy furniture

 

[opus345]

This is one of those times when I need a Dislike This Post button for Midwest. $25 to spend at MW? Why would I want to come back?

 

[sivispacemparabe11um]

Wow with all the time they had you would think they would have hired a good PR person.....

 

[FuzzeWuzze]

geeez guys, nothing like getting your panties in a wad,

Last time my card got whooped was from the local Mexican Restaurant... I've had much less intrusion FROM ANY of my online buys

Stop berating our online suppliers cause someone managed to breach their initial best effort CC security.


If your card has never been stolen, I think you're probably in the minority here!

You do realize their "best" effort was borderline illegal by not being PCI compliant right?

Their "best" effort was equivalent to writing your credit card number down and sticking it on a table anyone could walk by and see.

This isnt 1999 where cyber crime is new, or even difficult for all that matter. Even very basic encryption and or hashing of the cards would have prevented any of the data from being useful. Storing plain text credit card info in 2013, thats just amateur at best and their web developers should be ashamed of themselves.

 

[ProfSudz]

nm

 

[wsender]

I'd really love to hear a reply from MidWest about their practices and how they're going to prevent this from happening again. Having to deal with my bank and not having my card for over a week was a giant pain in the ass.

Until I hear back from MidWest I will never shop there again and recommend people from doing so as well.

 

[mrwizard0]

Who was impacted? I spent $30 on July 3 then realized 3 weeks later I had 2 charges on my credit card at the same Illinois furniture store, for the same amount. I haven't heard a thing from MW...

Edit: I've never been to Illinois... and don't buy furniture

I want to know this too, I luckily had my cc company refuse the random charges that I had but I still had to get a new cc while on vacation which was a pain in the rear

 

[disney7]

As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.

 

[wsender]

As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.

Sadly, I feel we won't get any. They've already issued us the blood money and posted this sad excuse for an apology on a long weekend to minimize visibility.

 

[thatjonguy]

I too wait a response, although I was not comprimised (to my knowledge) I want to see how the rest of this goes down.

If anyone doesn't want their credit, you can send it to me for disposal.

 

[bob1852]

I love the first world problems here: "blood money", "inconvenience while on vacation", etc.

There are two types of people who shop on-line: those who have had their info hacked and those who will.

If you're gonna shop online, make sure it is with a company with a good fraud policy.

If you don't want to risk it, just take some gold down to your LHBS, or better yet: grow your own barley and hops.

With that said, I hope midwest learned their lesson by ignoring those who posted here originally in a very respectful manner saying "hey Midwest, a bunch of customers have been hacked; might want to check it out." And responding with "thanks, but it isn't us."

 

[The_Professor]

I remeber that thread too and the big difference I saw between AHS and MW was that AHS basically was upfront and said "hey guys i think we got a problem here, we'll keep you updated with what we find" and MW said "nothing to do with us, stop saying that we have a CC fraud issue, nah nothing to see here, etc."


I think you are missing everyones point that their "best effort" was a very very very poor effort when compared to industry best practices.

Ah, I didn't really know the timeline or history to this Midwest issue. It did not effect me.

The AHS one did effect me and you are right, they were quick to notify people about it.

I guess I was really more responding to the dissing the small discount, which is similar in both cases. I guess not everything else is similar.

 

[BrewerE]

I'm anxiously awaiting my notification.

The thing I'm most pissed about is that they were on here claiming that 'no CC info was stored', when right on the payment page, there is a 'check here to store CC info' box and a tab to view stored cards. AND THE STUPID THING DOESN'T EVEN WORK.

I ordered from them this week when they had free shipping (even though my card got whacked in July) and specifically looked for, and UNCHECKED the box. I went to the account>saved cards tab, AND THERE WAS MY CC info....SAVED ANYWAY....sooooo pissed.

This time I used a CC that has never been used for anything online and other limited use, so if it gets whacked, it'll NO DOUBT be from Midwest.

If they don't get this order out in the 'promised' 2-3 days or screw it up (again) it'll be the last time I order from them.

 

[nickmv]

Screw that, chew their asses out for yet again storing CC #'s without customers' permission. That's absolutely ridiculous and goes beyond "beyond unacceptable".

 

[unkempt]

I havent ordered from them in a while but I had fraud on my CC in this time frame. A 25$ gift card should cover all my late payment fines on my electric, cable and phone, plus the fee i had to pay to get a new card in 2-3 days insted of 7-10 days...rigghhtttt