WHID 2008-01: Information stolen from geeks.com (Updated)
Update (Feb 8th 2009) - The company has reached a settlement with the FTC. Not a breathtaking achievement in the effort to make business care about web application security, yet a step in this direction. The report also identifies the attack as an SQL injection attack.
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).
The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....
And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
Additional information:
- Update: 'Hacker safe' Web site gets hit by hacker [Copmuter World, Jan 7 2008]
- 'Hacker Safe' Geeks.com Hacked [Information Week, Jan 7 2008]
- Geeks.com Website Hacked, Customer Data Stolen [Consumerist, ]
