Important Statement From Midwest Supplies

[ShootsNRoots]

I want to make it completely clear that I'm not leaving Midwest because they were hacked or even that the hackers got my cc info. I'm leaving midwest because they lied to us. They said it wasn't them flat out. They should have said we're investigating it, but they didn't. I just think they have handled this whole thing wrong from the start, and this $25 gc is like salt on the wound.

The question is, what is the context to "it isn't our problem."

In a normal company the management would've went to the IT and asked 'Was our server breached?'

IT, fearing for their jobs/reputation, would respond, 'Well it passed the PCI check!'

My guess is, that it's that type of miscommunication that occurred.

Did they lie? Yes. Did they lie blatantly, through their teeth? It's a best guess as to what they were told by the IT.

Management would then call in a third party, who would catch the problem, but by then you've dismissed the problem publicly.

At any rate, that's just my take on it. It could swing either way, I suppose.

 

[Malric]

So part of me says screw 'em and part of me says, give 'em a break...

It's easy to place blame (which I'm guilty of) but then you walk a mile in another man's shoe and quickly see what's really goin' down...

Getting hacked is a risk that all online vendors take. Most consumers understand that and are willing to give some leeway. What I and many others can not excuse is how Midwest responded to the situation. Denial, blame shifting and avoidance.

Austin Homebrew was hacked. They admitted it, made amends and their customers stood by them (for the most part). Midwest failed to act in good faith and now they have lost me as a customer.

 

[Littlejoe]

We regret not providing an update sooner, but we did not want to comment publicly until our investigation was complete and we were able to identify and notify those potentially affected.

Our investigation has now been completed and we are satisfied that the situation has been resolved and that all affected customers have been identified.

Here they say they were "investigating" this. Why didn't they say that in the forum instead of " its not us"

I have a serious problem with that!

 

[jeffjm]

In a normal company the management would've went to the IT and asked 'Was our server breached?'

IT, fearing for their jobs/reputation, would respond, 'Well it passed the PCI check!'

If that's what happened, management
needed to be smart enough to realize IT didn't answer the question that was asked. IT also needs to be smart enough to raise potential problems ahead of time, and document the response from management or lack thereof. Unfortunately the odds of us ever seeing those internal communications are slim and none.

 

[ShootsNRoots]

Getting hacked is a risk that all online vendors take. Most consumers understand that and are willing to give some leeway. What I and many others can not excuse is how Midwest responded to the situation. Denial, blame shifting and avoidance.

Austin Homebrew was hacked. They admitted it, made amends and their customers stood by them (for the most part). Midwest failed to act in good faith and now they have lost me as a customer.

Understood. My point is simply that the entire context of the situation will probably never be known and the image presented to the public may have been distorted by internal politics.

 

[jdeere_man]

I got the letter yesterday. Up until this point ( I don't frequent the forums a lot) I didn't realize there was an issue. I never got any fraudulent charges, perhaps I was lucky. I do a lot of online shopping and over the past 8 years or so my credit card has been used fraudulently 3 times. Never once, until this have I got a notice of a breach from anyone. Obviously Midwest could have handled it better (more promptly), but after being compromised 3 other times I don't get that excited about it. I file a form listing charges that weren't mine and my account is corrected in a few days and a new card sent. Part of the risk of shopping online, and its not even that risky since you're liability is limited. Inconvenience, yes, tragedy, no. I don't shop Midwest that much anyway because I comparison shop first and they often are not the cheapest, but if they have something I want I will still probably shop there. I don't know exactly what happened or where the compromise occurred, but a lot retailers farm out credit card processing to third parties.

I think one lesson anyone should take from this is set up email alerts on your credit card account. Anytime a charge goes through I get an email instantly. That's how I've caught all the other fraud cases and reported within at most hours if they happened while I was asleep.

 

[ChuckCollins]

Just placed my Order with the $25.00 coupon

 

[HawksBrewer]

As an IT professional and someone who's credit card was used fraudulently after buying from Midwest, I'd like a better explanation of exactly what happened. Details.

I want to know this too, I luckily had my cc company refuse the random charges that I had but I still had to get a new cc while on vacation which was a pain in the rear

This explains everything. My CC was compromised and someone tried to buy an AR-14 assault rifle and a new Canon DSLR. Everything was denied so no money lost, but **** midwest supplies. I'm done shopping there.

 

[user 110879]

This x100000. I toned down my original response, but there really is absolutely NO excuse whatsoever for what happened. Having your server with CC #'s connected through the web? Absolutely ridiculous. That reddit discussion gets into where PCI compliance people can attest to the fact that what was done was inexcusable.

I will not be shopping with Midwest in the future, and will recommend that all friends go elsewhere (not even NB if possible, since they own Midwest). And assuming I was indeed a victim of this and get a $25 GC --- well, you can put it you-know-where.

I am in the same boat. I had two fraudulent charges from Western Union last month that totaled $715. The charges resulted in NSF fees as I was not aware of them until it was too late. I have blocked my card and my bank has temporarily credited me for the charges and fees pending an investigation. I will be forwarding them a copy of the letter. This was a major PITA for me!

 

[mattd2]

If that's what happened, management
needed to be smart enough to realize IT didn't answer the question that was asked. IT also needs to be smart enough to raise potential problems ahead of time, and document the response from management or lack thereof. Unfortunately the odds of us ever seeing those internal communications are slim and none.

Agree, all that example stated was that if MW has that kind of corporate culture (lie, hide info, avoid the problems) then this would be bound to happen. And if that was the case the IT department and directors need a serious shake up.
If this was a big international company you would have seen resignations from the board and management by now.
Although the departure of the CIO on July 25th is a bit suspiciuos

This is humorous. A job listing for a VP of IT/eCommerce at Northern Brewer on July 25th. Also confirms the merger of Midwest and NB. Talks about David Kidd (he's an Eagle Scout but apparently didn't get the data security merit badge).

He raved about the outgoing CIO.

I assume the job's been filled. Nice firestorm that person just walked into.

http://ecommercejobs.com/2013/07/northern-brewer-seeks-a-vp-of-it-ecommerce-st-paul-mn.html

 

[Soup4you2]

I still have a few doubts that they are taking the matters seriously. Their first issue is storing CCV numbers in their database. This is a no-no in the PCI world.

Also their website still seems pretty insecure, as even their forums are to this day running an old outdated version with multiple vulnerabilities. (just check the stock phpbb changelog on the midwest site, and compare their running version to issues on google.) So should they get our business back? I know they are not getting mine. This whole incident was handled very poorly. At least Austin Homebrew when they were hacked fessed up right away, and fixed all their systems.

 

[bnairuni87]

I have a question, which vendors are alternatives for brewing kits?

Especially if Northern and Midwest have/are merged?

 

[jleonar]

I have a question, which vendors are alternatives for brewing kits?

Especially if Northern and Midwest have/are merged?

Austin Homebrew

Additionally, I have used high gravity brew:

http://www.highgravitybrew.com/productcart/pc/Homebrew-Ingredient-Kits-c66.htm

 

[Fuzzymittenbrewing]

I have a question, which vendors are alternatives for brewing kits?

Especially if Northern and Midwest have/are merged?

Morebeer.com

 

[Chrisl77]

I read through this post and the original post started back in the beginning of July and I am a little lost. I cant find a single post in the last thread where they said flat out that it was not them. The last post in that thread they made was about there third party investigation and said it was still ongoing. They have also said that they don't store your complete cc info on there server only the last 4 digits and expiration date, and you can opt out of that. They also stated in the first post here that the info was captured at the time of the transaction. To me this says that there was some sort of malicious software in there network capturing the info and sending it to the hacker. I have never purchased anything from them but reading all this would not keep me from doing so in the future. To me some of these posts look like those advertisements you see around election time if you know what I mean.

 

[jdeere_man]

I am in the same boat. I had two fraudulent charges from Western Union last month that totaled $715. The charges resulted in NSF fees as I was not aware of them until it was too late. I have blocked my card and my bank has temporarily credited me for the charges and fees pending an investigation. I will be forwarding them a copy of the letter. This was a major PITA for me!

if you got NSF fees it must have been debit. I would advise against using debit, especially online because of things like this. It can tie up funds you need or don't even have. Not to mention debit liability is different from credit. At least on credit you have time to dispute and resolve the charges before you would be out any money.

 

[Bluelinebrewer]

I read through this post and the original post started back in the beginning of July and I am a little lost. I cant find a single post in the last thread where they said flat out that it was not them. The last post in that thread they made was about there third party investigation and said it was still ongoing. They have also said that they don't store your complete cc info on there server only the last 4 digits and expiration date, and you can opt out of that. They also stated in the first post here that the info was captured at the time of the transaction. To me this says that there was some sort of malicious software in there network capturing the info and sending it to the hacker. I have never purchased anything from them but reading all this would not keep me from doing so in the future. To me some of these posts look like those advertisements you see around election time if you know what I mean.

Post #34 in the original thread, from MidwestSupplies:

"Thank you to everyone that has contributed to this thread and contacted us regarding your concerns. At Midwest Supplies we take our customers' data and information security seriously. After thoroughly investigating the concerns in this thread, we do not believe they were related to purchases made at Midwest Supplies. If anything changes we will let you know. If anyone has concerns regarding their order or credit card data, please contact our customer service team at 888-449-2739 or [email protected].

We value the trust our customers place in us every time they order from Midwest Supplies. We take this trust seriously: our website is secure and encrypted, it is scanned daily to guard against any attacks, we are PCI compliant, we maintain cyber insurance, all of our employees must pass criminal background checks, and we do not store credit card information on any of our systems.

As fellow brewers and winemakers, we want to make sure you can focus on making the best possible beer or wine, every time. We will do our best to guard your information and maintain your trust.

Thanks again and Cheers."

 

[Chrisl77]

In the original thread post #52

We wanted to provide you an update on our on-going investigation into the credit card security matters raised in this Forum.

As part of our investigation, we have involved a number of third-party specialists in web server management, website applications management, website security and credit card processing. Each of these parties, in coordination with the others, has undertaken to assess how and when credit card data could have been compromised.

One of the complicating factors to the investigation is that we store no credit card data. All credit card information is transmitted securely to the credit card processors at the time of the transaction; no credit card information is retained.

A second complicating factor is that the credit cards in question were last used for a Midwest Supplies purchase during a wide ranging period, weeks to months before the fraudulent activity took place.

At this point, none of the third-parties nor our own team have identified how or when credit card data could have been compromised.

We take data security very seriously and are working to complete our investigation as soon as possible.

If anyone has concerns regarding their order or credit card data, please contact me directly at [email protected] or 952-562-5354.

Thanks again and Cheers.
Todd Jackson
Customer Service Manager
Midwest Supplies

This says they where still trying to figure out what happened.

 

[Fuzzymittenbrewing]

In the original thread post #52

This says they where still trying to figure out what happened.

Aka: backtracking

 

[Bluelinebrewer]

In the original thread post #52

We wanted to provide you an update on our on-going investigation into the credit card security matters raised in this Forum.

As part of our investigation, we have involved a number of third-party specialists in web server management, website applications management, website security and credit card processing. Each of these parties, in coordination with the others, has undertaken to assess how and when credit card data could have been compromised.

One of the complicating factors to the investigation is that we store no credit card data. All credit card information is transmitted securely to the credit card processors at the time of the transaction; no credit card information is retained.

A second complicating factor is that the credit cards in question were last used for a Midwest Supplies purchase during a wide ranging period, weeks to months before the fraudulent activity took place.

At this point, none of the third-parties nor our own team have identified how or when credit card data could have been compromised.

We take data security very seriously and are working to complete our investigation as soon as possible.

If anyone has concerns regarding their order or credit card data, please contact me directly at [email protected] or 952-562-5354.

Thanks again and Cheers.
Todd Jackson
Customer Service Manager
Midwest Supplies

This says they where still trying to figure out what happened.

That post was on 07/09, and that's the last we hear from Midwest until 09/02. However, in their notice to the NH AG's Office, they acknowledge that they knew about the compromise "for sure" on 08/22, and state that they received preliminary information about a possible compromise on 07/19... But wait, they posted on 07/09 that they "didn't think" it was them...

I think everyone's pissed at MWS because instead of just coming right out and saying, "Oh $hit, we might have a problem here" they blew smoke up everyone's kilts and said they didn't think it was them. Just my 2 cents though.

 

[Bluelinebrewer]

Oh, and yeah, my wife's CC was affected as well. She just received her replacement card "Due to fraudulent activity" yesterday. She placed an order there in April for a gift card for me.

 

[bmeulebroeck]

Looks like the business registrations for Northern Brewer, LLC (Foreign) are inactive after being revoked in Feb 2013, according to the MN Sec of State office. Their state of organization is Delaware. There are no active business registrations for Northern Brewer in MN.

Midwest Supplies, LLC has a filing in March 2013 for a Foreign LLC organized in Delaware.

Something is going on here...

I should add that I was not affected by this but they screwed up my grain. One more chance to fix it and then I am done.

Sorry about the mistake on your order - PM me, or refer to the PM I sent you and we'll get the error taken care of.

 

[Chrisl77]

That post was on 07/09, and that's the last we hear from Midwest until 09/02. However, in their notice to the NH AG's Office, they acknowledge that they knew about the compromise "for sure" on 08/22, and state that they received preliminary information about a possible compromise on 07/19... But wait, they posted on 07/09 that they "didn't think" it was them...

I think everyone's pissed at MWS because instead of just coming right out and saying, "Oh $hit, we might have a problem here" they blew smoke up everyone's kilts and said they didn't think it was them. Just my 2 cents though.

They also said in the first post here that they acquired legal counsel. A lawyer is going to be more concerned about possible lawsuits then keeping people on a forum in the loop. Sorry if that's not what you want to hear but to me these threads are blowing up into a big witch hunt. Just my 2 cents.

 

[thatjonguy]

Sorry about the mistake on your order - PM me, or refer to the PM I sent you and we'll get the error taken care of.

PM sent, thanks!

 

[Braufessor]

I want to make it completely clear that I'm not leaving Midwest because they were hacked or even that the hackers got my cc info. I'm leaving midwest because they lied to us. They said it wasn't them flat out. They should have said we're investigating it, but they didn't. I just think they have handled this whole thing wrong from the start, and this $25 gc is like salt on the wound.

This^^^^

Any company could get hacked. I get that. However, lots of companies do not deny it publicly, appealing to the trust and faith of their customers who are still holding on to compromised credit cards. I ordered on March 1. I have not noticed any fraudulent charges over the past months. However, yesterday I received new cards out of the blue and today I got my $25 parting gift from midwest stating:
"As soon as we discovered the breach, we took immediate measures to resolve the situation......."

Uhhhhhhh - no you did not. As soon as you heard about it, you denied that it happened to you ..... and continued to deny it happened...... Some of use used compromised cards for 6 months while you continued to deny any of it happened at all.

I will not shop at MW again for the way they handled it. I do not have faith that every other place has superior ability to prevent this type of thing from happening. But, I do feel that there are very few other places that would handle it as poorly as Midwest did. They have PROVEN what crappy customer service they have. That is enough for me.

 

[Powhatan]

With the connection between Midwest and Northern Brewer being shown in earlier posts, has anyone had the same issues with credit card info being stolen when ordering through Northern Brewer? I'm asking only because I placed an order through Northern Brewer prior to reading about this.

 

[the_trout]

With the connection between Midwest and Northern Brewer being shown in earlier posts, has anyone had the same issues with credit card info being stolen when ordering through Northern Brewer? I'm asking only because I placed an order through Northern Brewer prior to reading about this.

I've placed several orders with NB within the affected time period and not had any issues. I'm hopeful that the systems they use are separated enough so I won't have a problem. Having said that I'm definitely hesitant to use NB any further at this point. That really bums me out to because I've always been super happy with their product and support. I'll see how this plays out before I return my business to them.

 

[bob1852]

Wasn't compromised, but also hadn't ordered since 2/27/13. Received the letter and $25 code today. Wonder how far back they are suspecting the hack occurred?

 

[Yooper]

With the connection between Midwest and Northern Brewer being shown in earlier posts, has anyone had the same issues with credit card info being stolen when ordering through Northern Brewer? I'm asking only because I placed an order through Northern Brewer prior to reading about this.

It's been a long time since I've ordered from Midwest, but I order from Northern Brewer often and just about a month ago spent $250 there online. I have had no issues with my credit card. I order at least 4 times per year from Northern Brewer, sometimes much more often.

 

[Zamial]

This entire thread is why the people that pay a bit more with cash at the LHBS are happy.