Security Breach at Hobby Search - Japan

[Claude_Dreyfus]

I know there are a number of us on here that use the Japanese shop Hobby Search for various bits and pieces. Unfortunately they had a significant security breach not long ago involving data such as credit cards. Below is a copy of their statement on the matter.

 

Original Source: http://www.1999.co.jp/info_card_e.html

 

Regarding a security breach and stolen customer data

 

"To Hobby Search customers:

 

We are writing to let you know of a hacker or hackers that penetrated our computer system and accessed customer data including credit card information.

 

At the time of writing, we do not know of any of this information being available publicly.

It is important to us that you, the customer, do not experience any monetary damages because of this incident, and have provided the information of all the cards that may have been involved in this incident to each of the credit card companies so that they may monitor the activity on these cards.

If you have any concerns about the security of your card, please contact the card company

(via the number on the back of your credit card).

 

Also, although we have switched to a more secure credit card transaction system that only stores the last four digits of your card on our databases on July 7, 2010, we have disabled credit card payments indefinitely.

 

The credit cards involved in this incident are those used in orders prior to July 7, 2010 (a maximum of 23,526 cards)

 

- Credit card numbers, expiration dates, cardholder names

 

We do not store personal verification passwords or security codes on our databases, so these have not been accessed.

Again, we have switched to a more secure credit transaction system on July 7 that only stored the last four digits of those cards (3,794 cards) and cannot be abused by a third party.

We are deeply sorry for any inconvenience or concern that this incident may have caused.

 

<A timeline of events>

October 6 - A system administrator found traces of attacks from Korea and began investigating immediately. That night, we contacted an external security firm to investigate.

 

October 7 - The external examiners began investigations in the morning. We shut off our systems for emergency maintenance, reinstalled all server operating systems and software, re-examined security settings, and isolated the server.

Logs indicated that customer data had been sent out from our server to the address of an institution in Korea.

We contacted that institution by phone and email about this incident and confirmed that the data had been deleted. We believe that they were used as a proxy.

 

October 8 - We revised program, network, firewall, and client machine security and implemented an intrusion detection system.

 

October 12 - We contacted the credit card transaction handler and began discussions about the course of action.

 

October 20 - The external investigators concluded their investigations and determined which and how much data had been accessed.

 

October 28 - With the results of the investigation and cooperation of credit card companies, we are ready to handle customer correspondence and have sent out email notifications to the customers that may have been affected.

 

We deeply regret that this incident has occured, and are continuously examining the security of our systems. We believe that the root of this problem was the lack of security awareness among each and every employee and are making sure this should not happen again.

We will work hard to maintain your confidence in Hobby Search and hope to see your continued patronage.

 

 

28 October 2010

Toshiyuki Suzuki

President

Hobby Search"