Bulk Reef Supply Security Breach

[djtuzik]

Quote:

Originally Posted by MondoBongo

just a clarification here, are you saying that BRS knew about the breach months ago, but failed to disclose? because that is an extremely serious accusation.

do you have any proof to substantiate this?

generally with these kinds of data breaches, they are silent. many times they're not discovered until a subset of people who have had their information stolen can be used to connect the dots to the point of compromise.

this isn't a brick and mortar store, so there aren't big sirens and flashing lights that go off when someone smashes a window, detecting these kinds of intrusions can be as much art as it is science.

i would caution you to refrain from assumption in this scenario, as is not productive. however if you have proof that this is the case, please do share.

6 month period for a breach is a pretty long time. And instead of sending out a cautionary email right away and posting the info all over the place, they notified via snail mail... I got fraud of 3k!

[Jone]

No not at all,,, I want to rescind what I wrote prior ..It really is bad that these situations happen but is there anything the card companies can do to stop this?? Its a topic that reoccurs to card companies, people and retail vendors..Especially everyone involved that gets caught up in this aggrivating mess it becomes..How does somebody get this private info,,if their not supposed to have it and plus have balls to do illegal activity like this??
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....

Quote:

Originally Posted by MondoBongo

just a clarification here, are you saying that BRS knew about the breach months ago, but failed to disclose? because that is an extremely serious accusation.

do you have any proof to substantiate this?

generally with these kinds of data breaches, they are silent. many times they're not discovered until a subset of people who have had their information stolen can be used to connect the dots to the point of compromise.

this isn't a brick and mortar store, so there aren't big sirens and flashing lights that go off when someone smashes a window, detecting these kinds of intrusions can be as much art as it is science.

i would caution you to refrain from assumption in this scenario, as is not productive. however if you have proof that this is the case, please do share.

[MondoBongo]

Quote:

Originally Posted by djtuzik

6 month period for a breach is a pretty long time. And instead of sending out a cautionary email right away and posting the info all over the place, they notified via snail mail... I got fraud of 3k!

you want to notify via real mail for things like this. you assume that electronic communications have been compromised and send instructions via hard copy as a security measure to help prevent future social engineering attacks.

they probably did notify as soon as they were able to. 6 months sounds like a long time for a data breach, but it's not really.

it all depends on the nature of this breach, how they got in, where they got it, what they were doing while there. this isn't the same thing as showing up to your business in the morning and seeing that the door has been forced open and the cash register is gone. it is super easy to hide these kinds of intrusions. unless you get lucky, or have a superhuman sysop watching your network, you generally only find about them long after they've happened.

i would be willing to bet that the system you're on right now has at least half a dozen exploits that could allow an attacker invisible access to you without you ever knowing it happened.

it's scary, but also hilarious, how insecure computers and networks are.

[MondoBongo]

Quote:

Originally Posted by Jone

No not at all but there is a time frame to the letter..I want to recind what I wrote prior ..It really is bad that these situations happen but is there anything the card companies can do to stop this?? Its a topic that reoccurs to often with people and retail vendors..Especially everyone involved that gets caught up in this aggrivating mess it becomes..
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....

it is super frustrating. it leaves you feeling absolutely powerless too, which may be the worst part. faceless attackers made off with large portions of your online identity and now have taken over something almost sacred in your life: your money.

i myself have been compromised several times, all in different ways, all from different places. some of the breaches were clear negligence on the part of the entity holding my records, others were inadvertent compromises due to human error, software bugs, etc...

it sucks. totally sucks. no two ways about it.

user soulpatch has posted some really interesting points earlier in this thread, it sounds like there will be enhanced security standards coming to US cards soon, not soon enough, but this is always a cat and mouse game.

as long as there is money to be made, the arms race between white hats and black hats will continue.

locks only ever keep out honest people.

[itz frank]

http://thehackernews.com/2014/02/Mag...e-User_13.html

please read before destroying BRS.

[rsundstrom]

When I received a letter from BRS explaining they were hacked, and PII (Personally Identifiable Information) was stolen, I like everyone else, was upset at the news.

I wrote a long email to BRS support outlining my concerns, posing some questions, and generally giving my professional opinion of the situation. (I work in the IT industry, and frequently deploy and maintain e-commerce solutions.) My letter was not an enraged flame, but it was in no way laudatory, and I believe I fairly delineated the consequences to businesses and consumers from such an incident, my view of a business' responsibility after such an event, and equally importantly responsibility before such and event, and some suggestions for their way forward. (I shared the message with my wife, and she gave me one of those looks and said "I would not like to receive an angry letter from you." I wasn't being angry, but I get her point.)

A few hours later, I received a call from Ryan, and we had a long conversation about the situation. I respect his initiative in addressing the damage head-on and in a personal, as well as professional and expert, manner. I believed before, and I believe now, this is a small company with integrity as a core tenet. I can't reveal all I was able to glean from the conversation, but will say that they have well and truly made every practical effort to rectify the situation in the best manner available. (Know that doing so is an extremely expensive and painful proposition for them, and as a small company with whom I like doing business, I hope their balance sheet can survive the hit. As much as we as customers may have lost potentially and in fact, BRS has lost far more.)

I empathize with everyone involved in this: myself, other customers, and BRS too. I do not sympathize, however. This sort of attack, while prevalent (anyone a Target customer?), is not unpreventable. I still maintain the best time to close the barn door, is before the horses escape. To mix metaphors, that's water under the bridge now. In talking with Ryan, I am convinced they have learned this very painful lesson. Right now, I have no doubt that one of the safest places to do business on-line is the BRS web site.

"Maybe they will make a youtube video about it....."
I complained that the time it took to communicate the issue was too long. Ryan, I could tell, was as frustrated as we all on this. I agree with him there is no perfect way to communicate, and in balance they did as good as can really be expected. The above quote was written by another poster, in humor, but Ryan shared that was literally his first impulse and wanted to do so immediately. The IT experts they brought in shot the idea down in no uncertain terms, and were right to do so. Immediately after the discovery, there were not enough facts in evidence to craft a coherent message, let alone an effective action plan for the business or consumers. Until they knew the nature and reach of the intrusion and theft, what was the message to be? "We were hacked. Data was stolen." Painful, but better to wait and have a clear message, targeted at the affected parties rather than a vague, ominous broadside aimed at everyone. (If I, for one, want the latter, I'll watch Fox news.)

Nobody will disagree this was an unfortunate situation. Bad things happen to good people. Everyone victimized here, including BRS, are good people IMHO.

I will continue doing business with BRS. Their business model and delivered value is still attractive to me. I will, as will we all, come away sadder but wiser knowing more than we care to about the dark side of doing business on-line. The suggestion to use PayPal as a payment processor backed by a credit card as the payment instrument is a good one. Secure payment processing is not BRS' core competence, it is PayPal's raison e'etre, and we all should be taking advantage of that as a prudent approach to e-commerce.

[d2mini]

Am I the only one not upset about this?
My bank has to send me a new debit card what seems like several times a year, including a few weeks ago. This is the first time this year.
This has just become normal to me. lol
I've never lost a dime, btw.

[TruReef]

Quote:

Originally Posted by d2mini

Am I the only one not upset about this?
My bank has to send me a new debit card what seems like several times a year, including a few weeks ago. This is the first time this year.
This has just become normal to me. lol
I've never lost a dime, btw.

Im in your boat too, S happens, get over it and live on.......& yes I was also compromised and sent a new card...

[GilliganReef]

Quote:

Originally Posted by MidwesternTexan

As I sit here at work, I wonder why everyone can't just do honest work anymore?

Why so many have to 'cheat,game' the system?

What's funnier, is that it happens so often, that usually unless it's at least a 5K loss,
they don';t even investigate it. Is that funny or what?

I use to work Fraud for Target. I was able to stop a lady in NY. Who used 8different people CCs to purchase txt G/C's. Where she was in a box store trying to combine the cards onto one G/C. So Target wouldnt be able to trace her activity. I was lucky enough to start tracing 3 out of 8 being used at that time in a store. Had the other 5 cancelled and called the store to have that g/c voided. Its always fun calling a Susan or Lisa who has a really deep voice, Or catch these morons in the act. Red flag are if it is a URL from Eastern Europe or West Afric a. Saddest is when you call an old lady asking her if she purchased a $150 G/C for someone she never heard of.

[rsundstrom]

I was behind this old guy at an Walmart ATM who was working the machine for a good 15 minutes before my curiosity and impatience got the best of me and I stepped up to look over his shoulder to see what on earth was taking so long. He had a handful of cards that he was dutifully trying, one by one, to get money from the machine - without much luck I might add.

I kindly suggested he steal higher quality plastic, or at least learn how to steal PINs as well so the process would not take so long, and the rest of us could get on with our day.

[Erasmus_Crowley]

I know this happened a while ago, but two days ago I got the first of several strange emails. Tonight I was notified via email that someone created an account at McAfee security and paid for it with my credit card. I immediately cancelled that card before any other damage could be done, but I have since tracked down several other accounts created using my personal information and credit card.

These accounts have not been used by the thief and they are all products that auto-renew each month and that are very difficult to cancel. My best guess is that someone is currently running a bot to sign up to these services with the information in the stolen BulkReefSupply data just to be a malicious jerk.

I just wanted to give a heads up to anyone else that hasn't cancelled their cards yet. Be very vigilant and cancel your CC at the first hint of anything you don't recognize.

[jminick2]

Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.

[rfgonzo]

Quote:

Originally Posted by jminick2

Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.

Great, hopefully it doesn't happen again.

[oseymour]

Quote:

Originally Posted by jminick2

Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.

I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.

[jamie1981]

Quote:

Originally Posted by oseymour

I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.

Got another one today with my address also, but the first and last name was not mine this time eiather.

I don't really understand why some people get so upset over this. It happens, theives will always be one step ahead.

[shamus]

I got the letter and 2 days later got a fraudulent charge on my card. I only used my card at BRS. Sucks but there is nothing you can do about it. This was the second time this has happened in 5 months.

[jminick2]

Quote:

Originally Posted by jamie1981

Got another one today with my address also, but the first and last name was not mine this time eiather.

I don't really understand why some people get so upset over this. It happens, theives will always be one step ahead.

Because its their God given right, some people don't like the idea of criminals having their information. I betcha if you lost thousands of dollars like this your attitude would be different.

[soulpatch]

Quote:

Originally Posted by jminick2

Because its their God given right, some people don't like the idea of criminals having their information. I betcha if you lost thousands of dollars like this your attitude would be different.

I guess that depends on who you expect to direct the rage at. If at the hackers I am with you. If at the retailer then not with you so long as the retailer had security and such.

In this instance BRS uses Magento which a TON of other companies use as their checkout platform. They also have Verisign which again is pretty standard. Magento was what was hacked and many other companies using the Magento platform were hacked as well.

[jminick2]

I rage at the criminals.

[christopherjudd]

Quote:

Originally Posted by oseymour

I got another letter yesterday...Only it didn't have my name on it. It was my address .

I always use paypal so I'm not worried but jeeze.

just got another letter with the same thing

[soulpatch]

Quote:

Originally Posted by jminick2

I rage at the criminals.

THen in 100% agreement with you...


Also instances like this are why you should always use a credit card online not linked to a bank acount. That way you have their fraud working for you and it is THEIR money in the wind vs your own money while you fight with the bank to get it back...

[jamie1981]

Quote:

Originally Posted by soulpatch

THen in 100% agreement with you...


Also instances like this are why you should always use a credit card online not linked to a bank acount. That way you have their fraud working for you and it is THEIR money in the wind vs your own money while you fight with the bank to get it back...

Exactly I never use debit cards or bank accounts online unless it is the only option. Use use PayPal or credit cards...much safer, it's much harder to get your money back from a checking account. Credit cards all it usually takes is a chargeback and a new card number.

[kissman]

Not sure if it has anything to do with BRS. I have used my card there recently over the last few weeks. Just got 2 Fraud charges from Salt Life each $705 each. Fruad Protection called me to see if I had made the charges. Looks like they denied it since it hasn't hit my account so far. But, still a pain in the *** to have to cancel the card and wait for a new one.

[blrrobinson21]

I got the same thing. A letter, my address but different name.

[d2mini]

I had fraudulent charges back when this first came out, got a new card, and just this weekend i got more fraudulent chargers to the new card from two places in the UK.
Not sure which one is related to the BRS event, but yeesh! Craziness. Not to mention a pain in the butt. Luckily my bank catches these things instantly.