Important Statement From Midwest Supplies

[MicroBrewMaster]

Bump don't want this falling to the bottom

 

[ObsidianJester]

Midwest has handled this horribly from the start. For starters, they mishandled customers' information. Then they denied any culpability when a thread was posted in June, despite already knowing they had had a breech. Then they waited over a month to notify customers who may have been affected. Then they chose to make the announcement on a message board in the middle of a long weekend so it would get less attention. Finally, they are not offering identity theft insurance to those who had their information stolen due to MW's mishandling, but instead offer a GC, essentially requesting you trust them with your information again. I've only ordered a couple times from them, but I will definitely not be ordering from them ever again and will go out of my way to warn others that they will do the bare minimum to protect your info and then tell you to your face that they had nothing to do with it being stolen.

This to me was a big point. I'm a local customer so I've been dubious and due to their piss poor customer service. Try walking in there and having zero employees being able to answer your questions other than, "Uh I think so but I really don't know but this should work" Seeing a sign posted for no firearms allowed and turning around because of it and having someone passing out insulting you for that is also pretty awesome too. Oh, and the fact that if they suspected they were hacked and taking months to respond?

Who does that in today's technical world? Why is there only an email going out by snail mail? I just checked all the folders of the two email accounts I commonly use and would have used with that site and there is a simple notification of my midwest points my expire.

Perfect.

**** goes down sometimes. That is not really acceptable but things at times happens. When the .gov can inform me as a Veteran I've had things compromised and that is swifter than Midwest there is something wrong with that.

This does explain all the flip outs my bank has had of recent however.

Thank you Midwest, you're service and notification on a long weekend is a peach.

Northern Brewer If you are associated with this travesty I will take my money elsewhere. I would be curious to see as to how this unfolds, while I like having Northern Brewer as my Local Brew Store for convince sake since it is on my way past if there is any truth to this association or any possible linking of troubles if it is true I will decide to fight traffic and have things drop shipped to my house.

Really who is in charge of this travesty should take a lesson in customer service, but then again we are apparently but a few on the internet. Midwest has little to no care about things since this is released on a long weekend.

Bravo Midwest for being behind the 8 ball, or perhaps it is bravo for doing such things on a long weekend so that most folks miss it.

Bravo.

 

[Littlejoe]

They said "It's not us" didn't they! They didn't say we're investigating this! they told us flat out NO it's not US!

As far as their $25 GC If I'm one of the lucky ones to get one I'll tell them where to put it. I put my last order in to Midwest They won't get any more of my business.

 

[Trail]

Since there are a lot of misconceptions about the security of online shopping, as well as what Midwest could have done, let me ruminate briefly as a professional developer, including of eCommerce software:

1) Midwest should not have stored CC details.
This is true. Storing details is generally a Bad Thing (TM), and they should get nailed to a tree for storing this payment information when the box to do so is unchecked.

2) If Midwest hadn't stored payment details, this wouldn't have happened.
This probably isn't accurate. It's often not obvious that you've been hacked until the credit card fraud inquiries start rolling in. During this period, between when the breach is made and the breach is closed, the attacker can harvest even unstored details by altering the checkout system to divert the private data to permanent storage.

3) If Midwest had stored these details on a machine that didn't face the Internet, this wouldn't have happened.
Maybe, if the intrusion had been caught immediately before any transactions were made on the compromised system. Their response does not give me confidence that this was caught quickly.


In terms of their response, it's absolutely unacceptable. They were either lying when they said it hadn't happened to them when individual customers complained, or they're lying now when they say that they've been working on this for months... either way, they're liars with your billing information and it's been kept quiet for far too long. To hell with this company and up with the LHBSes.

 

[BigdogMark]

I'm going to assume those that are claiming they were affected by this issue did not choose to save a credit card in their Midwest account. My account has no cards saved. If you did, you chose to bypass the PCI requirements for the sake of convenience. Convenience breeds failure. However, as others have mentioned, cards don't have to be stored for a problem to occur. If the order system has been tampered with it is a simple thing to redirect a copy of information to somewhere else.

One thing missed in all this talk is software maintenance. We may overlook the compare after backup feature in our backup software, but one of the best uses for that feature is to maintain a baseline for comparison of your applications. Unless you are doing adds and changes, the app shouldn't be changing. If it has changed from your last good copy after an install or upgrade, someone has been messing with your code and you have a problem. As a system administration consultant, very few of the clients who engage my services are taking these simple precautions. But I'm preaching to the wrong audience.

All that having been said, Midwest certainly should have handled this better, and in a more timely manner. I had this happen at an internet company I owned years ago. The crack occurred at the settlement bank, not our facility or equipment but that didn't matter. The main difference was I was informed by the processor within two (2) hours of their awareness, and we informed our customers immediately, all of them through a mass emailing. The processor bore the cost of closing accounts and re-issuing cards. We were a very small company among many across the nation affected, and it was handled well. The same sort of thing should have happened in this case.

 

[mattd2]

Just found this gem - http://doj.nh.gov/consumer/security-breaches/documents/midwest-supplies-20130827.pdf
Goes to say they received preliminary info on July 19. The first post on here was July 7 and in a later post that (or the next) day the OP confirmed his dad had contacted Midwest about it.
Is Midwest lieing to the Attorny General now?

 

[raysmithtx]

The last sentence of the first page says "The company does not store credit card information." If that's the case then how can I order using my previous credit card info?

The conflicting statements and the initial denial by Midwest followed by an extremely slow response is enough for me to say "I'm done with them".

 

[disney7]

Just found this gem - http://doj.nh.gov/consumer/security-breaches/documents/midwest-supplies-20130827.pdf
Goes to say they received preliminary info on July 19. The first post on here was July 7 and in a later post that (or the next) day the OP confirmed his dad had contacted Midwest about it.
Is Midwest lieing to the Attorny General now?

That is very interesting and is much more information than they bothered to give us here.

That letter to the AG in NH makes it sound like they are only informing New Hampshire residents. I'm fairly certain my card fraud was a result of doing business with MW and I haven't seen anything yet in TN. Of course, the letter may not have had time to get here yet.

My best guess would be that MW is in fact not storing CC info. The letter to the AG says their site was compromised and software was installed that intercepted CC info that was entered on their site and sent it to the bad guys. Usually such things are a result of server software that isn't kept up to date. It can also be due to misconfiguration. You can also have what are called zero day vulnerabilities, which are exploitable issues that have just been discovered and the software vendors have not had time to come out with a patch to correct them. Sometimes the good guys figure those out first and sometimes the bad guys do.

 

[disney7]

The last sentence of the first page says "The company does not store credit card information." If that's the case then how can I order using my previous credit card info?

The conflicting statements and the initial denial by Midwest followed by an extremely slow response is enough for me to say "I'm done with them".

They've explained this. The first time you enter your info the processing center creates a token and the token is stored with MW. From then on, the token is sent to the processing center.... they know what credit card it represents and use it.

From my understanding, if someone else were to obtain the token they wouldn't be able to use it because the token is only acceptable for use between MW and their processor.

 

[ghoti]

I find it funny you think so highly of your customers less than 15 bucks (we know you mark up your products around 50%). I for one will never be a customer at a company that treats their customers like this. You should be offering credit protection for all those customers as it is your fault they will need to go through the hassle of canceling their credit cards. From one brewer to another, piss off.

 

[Randy_Bugger]

I ordered from MW once about five years ago. Now I'm going to have to cancel my credit cards, change my name and move to another state!

 

[ShootsNRoots]

From my understanding, if someone else were to obtain the token they wouldn't be able to use it because the token is only acceptable for use between MW and their processor.

Credit card tokenization isn't secure if the server isn't secured.

http://pages.cs.wisc.edu/~lorderic/webpage/tokenization-crack.pdf

What really ticks me off is that AG letter where the venomous snake lawyer wrote 'did not find conclusive evidence from Feb to Jun.'

Sounds like they're trying to weasel their way out of more liability by only claiming liability for one weeks worth of fraud.

I haven't ordered from Midwest since February when my first card was compromised and won't order from them ever again.

 

[Bobby_M]

I was hacked for sure and I didn't receive any contact from MW over the weekend. My fraud charges happened over a weekend when I don't often check my online ledger and they got me for at least $2000 in charges which I am still currently on the hook for. I had to file a police report, then go back and pick it up to send to my bank after getting a form notarized. At least if I got the number lifted by a waiter at a restaurant, I'd know exactly who to punch in the face.

 

[FermentusMaximus]

I've made all my purchases with Midwest indirectly through Amazon. Seemed a little safer that way.

 

[kh54s10]

Thankfully, I have always found MW prices to be too high so I have never ordered from them. I now doubt that I ever will.

Their handling of the situation has been despicable from start to present.

 

[Hello]

I love the first world problems here: "blood money", "inconvenience while on vacation", etc.

There are two types of people who shop on-line: those who have had their info hacked and those who will.

If you're gonna shop online, make sure it is with a company with a good fraud policy.

If you don't want to risk it, just take some gold down to your LHBS, or better yet: grow your own barley and hops.

With that said, I hope midwest learned their lesson by ignoring those who posted here originally in a very respectful manner saying "hey Midwest, a bunch of customers have been hacked; might want to check it out." And responding with "thanks, but it isn't us."

In this day shopping online shouldn't be a "your information will be hacked or it has been hacked" situation. There are controls in place and if they're not in place, there should be controls in place to prevent this from happening. Having your information hacked by shopping online should be a rare occurrence.

Notwithstanding, having never ordered from this company but seeing the thread when it was posted, I was really thinking they did wrong here. In searched MW I found that folks were drawing concerns early on and for MW to publicly say it wasn't them is appalling.

Midwest has handled this horribly from the start. For starters, they mishandled customers' information. Then they denied any culpability when a thread was posted in June, despite already knowing they had had a breech. Then they waited over a month to notify customers who may have been affected. Then they chose to make the announcement on a message board in the middle of a long weekend so it would get less attention. Finally, they are not offering identity theft insurance to those who had their information stolen due to MW's mishandling, but instead offer a GC, essentially requesting you trust them with your information again. I've only ordered a couple times from them, but I will definitely not be ordering from them ever again and will go out of my way to warn others that they will do the bare minimum to protect your info and then tell you to your face that they had nothing to do with it being stolen.

With respects to the long weekend posting, I have a strange feeling that they did this thinking it would garner some kudos from the community for their attempt to notify customers in spite of the long holiday weekend. The cynic in me thinks this was a play on their part and nothing more.

Well it looks like I won't be ordering from Midwest anytime soon. Sucks for you.

YOUR FAILURE TO PREPARE HAS CAUSED AN EMERGENCY ON OUR PART.

no bueno

HAXXOR TEH GIBSON

Even if they were PCI compliant this could have happened. It appears they were not and somewhat more importantly, their behavior when customers who have likely spent a fair amount of money on supplies from their site expressed concerns, is unforgivable. I will be surprised if they come out of this healthy.

The only way to protect ourselves in the future from this type of crap is for people like me, who were not affected, to decide not to do business with Midwest. That way, the calculus changes the next time around and a vendor will decide that waiting nearly 3 months to talk about it is a BAD business decision.

I really think the lawyer who gave them the advice to keep quiet did a bad job as part of his/her job is to consider the client's financial interests as well. I really think they miscalculated the repercussions of this..

They claimed they hired a lawyer who specializes in this type of intrusion. I have to say, I question that because like you, they should have been advised instantly to notify customers.

Very interesting... I placed an order through Midwest in June, and then had fraudulent charges on my CC (luckily Chase blocked them). Have not received anything from Midwest as stated.

Have these notifications been made over email or snail mail?

I read on reddit that someone received a letter via post.

Couple questions for Midwest Supplies:

1.) How are you determining who was affected by this?
2.) How are you notifying those affected?
3.) How are you giving the $25 credit?

( I believe I was affected but have not received any notification. )

Based on the below, perhaps they did only notify NH residents. Who knows, they need to respond asap. Also, the $25 is a gift card so you can spend it on their store. They lose absolutely nothing here unless customers stand their ground and take their business elsewhere.

Just found this gem - http://doj.nh.gov/consumer/security-breaches/documents/midwest-supplies-20130827.pdf
Goes to say they received preliminary info on July 19. The first post on here was July 7 and in a later post that (or the next) day the OP confirmed his dad had contacted Midwest about it.
Is Midwest lieing to the Attorny General now?

They best hope that they didn't lie to an AG about the intrusion and they better hope they're not messing with the New Hampshire AG. NH does not mess around at all. Although little, their reach is far and NH will stop at nothing to ensure their consumers are protected.

I will say what everyone else is saying, MW needs to think less about offering a gift card that is to be spent on supplies from their store and offer fraud monitoring for at least 12 months. Customers who were affected can put a fraud alert on their credit profiles (start with Experian) and as a victim of fraud, you're entitled to two free credit reports a year. If the information obtained from MW did not include SSN or anything that could allow someone to use your identity then the fraud alert may not be necessary. MW should provide a Visa gift card so that the funds could be used by affected consumers to order a credit report instead of using their one free one a year. If someone says my information was stolen because proper controls weren't in place then hands me a way to order more crap from their site, I too would be pissed. I don't call this a "first world problem at all."

 

[mrwizard0]

I was hacked for sure and I didn't receive any contact from MW over the weekend. My fraud charges happened over a weekend when I don't often check my online ledger and they got me for at least $2000 in charges which I am still currently on the hook for. I had to file a police report, then go back and pick it up to send to my bank after getting a form notarized. At least if I got the number lifted by a waiter at a restaurant, I'd know exactly who to punch in the face.

I think if everyone who gets a $25 GC to Midwest was to send it to bobby, he would still be out a lot. I am curious how many people are going to get one. If anyone does get a letter/GC they should post it so we know how many people they think got hacked

 

[ECUmedford]

Just found this gem - http://doj.nh.gov/consumer/security-breaches/documents/midwest-supplies-20130827.pdf
Goes to say they received preliminary info on July 19. The first post on here was July 7 and in a later post that (or the next) day the OP confirmed his dad had contacted Midwest about it.
Is Midwest lieing to the Attorny General now?

Unbelievable. I am the original poster that brought this situation to light on July 6th (same day my Dad called Midwest) and was in contact with Midwest multiple times until they made a public statement on this board on July 8th:

After thoroughly investigating the concerns in this thread, we do not believe they were related to purchases made at Midwest Supplies

My guess for the reason Midwest is using the July 19th date is because that is probably the date they notified the major credit card companies about the breach. Part of PCI rules states that a company can be fined $100,000 for every day that they fail to report a known "potential breach" to the processors.

What further upsets me about this Attorney General letter is that only customers between June 13th and July 19th were confirmed compromised. My affected purchase was made in April but card was not charged until that week in July when a lot of you were hit with the same fraudulent charges. Again, the credit card processors can fine up to $100,000 per month that a breach goes uncured. I guess admitting to the February to June breach doesn't fit the company budget.

I only posted this situation on this public forum because Midwest was the only shared vendor that made sense when both My dad and I had eerily similar fraudulent charges within the same few days. Several other posters quickly came forward with similar situations yet within hours the Midwest team determined it was not them. There was even a poster named "Varaflame" who referenced the company I worked for and attacked the site for not having a security certificate (doesn't need one since it does not accept payments). I had given Midwest my employers information to call me there so I'm pretty sure Varaflame was a Midwest employee which is why I refused to contact them again regarding the situation. If they want to discuss the situation....I felt they needed to discuss it with everyone on this forum. They did a pretty horrific job of that.

Within a couple of weeks 30+ people came forward and then the thread was shut down by moderators. I just want it known to the moderators that by shutting down that thread other members were not able to come forward and I don't think that is right.

Attorneys and CEOs make horrible public relations professionals. Midwest could have handled this in a way that I would have remained a customer, but they drove me away.

 

[passedpawn]

I just want it known to the moderators that by shutting down that thread other members were not able to come forward and I don't think that is right.

Seems we did shut it down prematurely, but by that time it was mostly bickering among members, not new information. I did go back and add a link to the end of that thread pointing to this thread.

 

[unionrdr]

Once again,this is why I use paypal whenever a site offers it. Midwest does...more recourse for me & no hacked cards.

 

[ktblunden]

Everyone who is saying they won't be ordering from Midwest again, take the time to send them a message on their site requesting they delete your account and personal information and tell them why. Quietly never buying from them again doesn't send a message, literally sending a message does.

 

[nickmv]

Everyone who is saying they won't be ordering from Midwest again, take the time to send them a message on their site requesting they delete your account and personal information and tell them why. Quietly never buying from them again doesn't send a message, literally sending a message does.

This.

 

[Trail]

They've explained this. The first time you enter your info the processing center creates a token and the token is stored with MW. From then on, the token is sent to the processing center.... they know what credit card it represents and use it.

From my understanding, if someone else were to obtain the token they wouldn't be able to use it because the token is only acceptable for use between MW and their processor.

This would still only prevent theft if:

a) it's true
b) no one entered new cards while the system was compromised.

A couple other people here have observed that PCI compliance won't stop credit card theft and they're right. If there is credit card info being sent to a server, it CAN be recorded. If the server is compromised, you can bet that's what is happening.

Once again, there is no way to stop payment details from being recorded if the machine that accepts them from the customer gets hacked. You can only make it less likely by keeping your system up to date, enforcing sensible security policies, and auditing outbound communication. Real security involves a combination of merchant security and creditor-level fraud protection.

 

[FuzzeWuzze]

Once again,this is why I use paypal whenever a site offers it. Midwest does...more recourse for me & no hacked cards.

Honestly i wouldnt.

Paypal is notorious for stealing peoples money and always siding with the merchant when there is a dispute.

Just google about it, there are cases of Paypal locking down Fundraiser/Charity accounts for months on end because of "Fraud". Yet no one you can call or talk too will tell you anything about what is going on. Paypal is *NOT* a bank in the United States, and they do not have to follow any of the government regulations regarding how banks have to operate when there is fraud. They can (and do) just lock your account and there is nothing you can do. Many people have lost thousands of dollars because of this.

Granted there is a difference between storing money with Paypal and just using them to access your bank accounts, but regardless their history in terms of customer support is mediocre at best. Some of the things they've done are far worse than Midwest could ever do.

If you use one of the big banks like BoA google about one time use VISA cards.

You can basically generate a new Credit card number, push an exact amount of money to it for your purchase and then pay with it. The card number is then usually destroyed.

 

[djt17]

Everyone who is saying they won't be ordering from Midwest again, take the time to send them a message on their site requesting they delete your account and personal information and tell them why. Quietly never buying from them again doesn't send a message, literally sending a message does.

Done, even though my account doesn't appear to have been hacked. (yet)

 

[Transamguy77]

So I have read the whole thread and at some point I realized that my wife had said that she got a call from the bank (that we rarely use that has just a small balance) that someone was trying to use that acct, now it could just be a coincidence but she had made a purchase from MW sometime last year. If its not then I can assume that any purchase that has been made the info could have possibly stolen. I sort of dismissed the card thing until I read this thread. Again it could have been just a coincidence or could it?

 

[Flyguy01]

Got a letter in the mail today. Checked over last months statement and had 3 charges from Walmart.com over 2 days for the same amount. Guess I'lll chalk that up to credit card fraud. Awesome.

 

[prohl84]

My account was hacked. Fortunately my card service noticed the odd transactions and called me personally to confirm- so I got lucky and was not responsible for those charges. If I hadn't been so lucky $25 would not have compensated me. I told MWS "from one homebrewer to another" the way they handled this is absolutely pathetic and to delete my account and info. No brewer waits months to address a problem of this magnitude.

FWIW: Tonight I will drink to any brewers who were stolen from. May you find swift compensation- Financial or psychological!

 

[Trail]

Again it could have been just a coincidence or could it?

Of course it could have been a coincidence, but you shouldn't count on it. Even if it wasn't Midwest there's something bad going on. Call your bank and get a new card issued right away.

 

[seph]

Got a letter in the mail today. Checked over last months statement and had 3 charges from Walmart.com over 2 days for the same amount. Guess I'lll chalk that up to credit card fraud. Awesome.

I had one charge from Walmart.com also. I caught it in time and they were able to refund the money to my account. I still haven't received a letter from Midwest, but I have received two catalogs since the incident happened.