Network Solutions was PCI compliant before breach

By Angela Moscaritolo

June 18, 2010 Updated Jul 27, 2009 at 12:31 PM EDT

Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.Network Solutions discovered unauthorized code on its servers used to support thousands of e-commence merchants' websites, Susan Wade, director of communications at Network Solutions told SCMagazineUS.com on Monday. The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company, she said.

Approximately 4,343 e-commerce websites were affected by the breach. Network Solutions could not disclose which merchants were affected but said the victimized merchants sell a wide variety of merchandize and are primarily small businesses. The breach occurred from March 12 to June 8 and the issue has since been mitigated, Network Solutions said.

“We feel deeply sorry about this; we know it is very concerning to our e-commerce customers,” Wade said.

Wade added that Network Solutions is compliant with the Payment Card Industries (PCI) Data Security Standards, but did not immediately know when the last compliance assessment was conducted.

Network Solutions is working with law enforcement and a third-party data forensics company to investigate the breach, but as yet does not have an explanation of what made the company vulnerable, Wade said. In addition, the company has implemented additional security measures since the breach but has not provided any specifics.

A website has been established to provide information about the breach to e-commerce merchants, and Network Solutions will be helping merchants notify customers whose information was compromised. Notifications to affected customers will be going out in the next few days, the company said. In addition, affected individuals will be offered 12 months free credit monitoring at Network Solutions' expense.

No reports of misused credit card account information associated with the breach have been filed, Network Solutions said in a statement.

In response to news of the breach, Steve Moyle, CTO and founder of database security company Secerno, told SCMagazineUS.com in an email on Saturday that people are probably questioning how this breach could have happened and continued for so long, especially after the Heartland breach clearly illustrated the consequences.

Moyle said that many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited.

In addition, Amichai Shulman, CTO of database and application security company Imperva, told SCMagazineUS.com in an email Monday that the incident illustrates the risks of cloud computing.

“This incident points out the basic problem of cloud computing: With many more companies hosting their data on the internet, the databases and the servers they are hosted on become phenomenally attractive,” Shulman said.

“The attackers here aimed at the big prize -- the servers. Instead of dealing with a website here and there, once the hackers broke in, all the sites were open to them," he added. "The lesson: Once you've penetrated the cloud, you've got an easy path to the important, underlying data.”




What are your thoughts CLICK HERE to leave us a "Your2Cents” comment.

Want to be in the know for the next weather event, the next school closing or the next big breaking news story?

TextCaster alerts from Indiana's NewsCenter are your defining source for instant information delivered right to your cell phone and email. It's free, easy and instant. Sign-Up Now!

Powered by Summit City Chevrolet



© Copyright 2014, A Granite Broadcasting Station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.