Winery credit card processor breach MERGED

David_Bu3ker · June 11, 2015, 4:01pm

Corison just sent out a note.

M_Sai · June 11, 2015, 4:04pm

^^This - or really, Ecellar offers some services while also making it easier to sync data across all of those sites. One of the largest challenges with customer management - for a winery or retailer - is trying to make sense of all the disparate customer info and preferences that are generated by the many systems necessary to run a business these days. Website/ecommerce/accounting/email marketing/social media - one (or all) of those venues will typically have information about a specific customer, but they don’t typically talk to one another.

J_a_y_H_a_c_k · June 11, 2015, 4:17pm

Outpost also.

Jason_L_Jones · June 11, 2015, 4:31pm

Add Palmaz and Pride to the list.

J_a_y_H_a_c_k · June 11, 2015, 4:34pm

Jody Smith:

Eric LeVine:

. . .What if every winery doesn’t inform? I buy from very few Cali wineries. I would like to know directly from the horse’s mouth if my cards are torched by them.

I just don’t know if that’s realistic. I know at one point both you and Todd used PayPal as your merchant provider. If PayPal was hacked, I’d expect them to notify you, so you in turn could notify your customers.

You say you only buy from a small # of CA wineries. I have accounts with over 100, and as of today, I’ve only received three messages from wineries, so I get your point. That said, I don’t know the T&C’s of MLN’s contracts. They may not be able to publish the list of merchants they service. They are, at their cost, offering credit monitoring to those who want it. Also note, they have notified the bank if you are an affected card holder.

There are laws in IIRC, 47 states known generally as “Security Breach Notification Laws” that address the notification issues. It’s a bit of a mess in Interstate Commerce because all the laws are not the same and Congress is considering a national standard. However, all of the laws that I have reviewed - probably about a dozen - provide that the notification obligation is on the party whose customer’s data has been compromised, AND IT HAS TO WORK THAT WAY. If A has customer data that is compromised, A must notify. If B has data belonging to A’s customers, B must notify A and A must notify the customer. The reason it has to happen this way is that B might not, and in many cases should not (think a bank account) have sufficient data to notify the customer, they may only have two data points - name and SS# or credit card # - and they are unable to notify.

BUT HERE IS THE INEPTITUDE ISSUE THAT SOMEONE SHOULD KICK THEM IN THE ASS ABOUT (“Eric my last name rhymes with Wine” should weigh in on this one because it is right up his alley and beyond my technical expertise):

If they encrypt the data while at rest as well as while in transit, there is no risk so long as the encryption keys are kept on a system different from the system with the data and the keys are not compromised. The laws all provide a safe harbor for encrypted data. However, encryption of data while at rest is rare because all the bozos who hold data make the argument, which tech people have told me is BS, that encryption while at rest creates too many inefficiencies in using the data. However, they are not running on 8088 chip machines any more and I have been told that modern machines would cause a delay of a few milliseconds that would not be noticeable to decrypt the data so the data can be used. I have been insisting in contracts that service companies with data from bank clients agree to encrypt while at rest, but it is an uphill battle. So you tech guys have at it on that issue.

Chuck_Turack · June 11, 2015, 4:34pm

Add Outpost

Mswenarton · June 11, 2015, 4:40pm

Pride also

danupdike · June 11, 2015, 5:02pm

“consumer direct sales systems provider”. Is that their way of saying “all credit cards” used at a given winery or just mailing lists/shipped items, etc?

I have not received an e-mail but am checking nonetheless.

M_Sai · June 11, 2015, 5:08pm

J a y H a c k:

If they encrypt the data while at rest as well as while in transit, there is no risk so long as the encryption keys are kept on a system different from the system with the data and the keys are not compromised. The laws all provide a safe harbor for encrypted data. However, encryption of data while at rest is rare because all the bozos who hold data make the argument, which tech people have told me is BS, that encryption while at rest creates too many inefficiencies in using the data. However, they are not running on 8088 chip machines any more and I have been told that modern machines would cause a delay of a few milliseconds that would not be noticeable to decrypt the data so the data can be used. I have been insisting in contracts that service companies with data from bank clients agree to encrypt while at rest, but it is an uphill battle. So you tech guys have at it on that issue.

I think we’re talking apples and oranges here. Any business that takes CC information is going to be using a Gateway like Authorize.net or Paypal to run transactions. Computer systems (Retail POS, winery website/inventory management, etc) that take CC payments have strict guidelines on how the CC info is handled, which is dictated by PCI Security Standards: http://www.pcisecuritystandards.org

Without getting too technical – all systems are now expected to never hold CC info on their systems, but immediately pass it to the Gateway. The Gateway they are using hands back a unique token, which is what is stored in the merchant’s database. In the event of a hack, only a customer’s name and address info would be available – the token is only usable between the merchant and Gateway, so it’s useless to the hack.

The issue is most legacy systems were never designed this way – they would just hold the CC information in the customer database, sometimes encrypted but often not. And if you are a small business that is still using a legacy system, it’s REALLY expensive to upgrade. We are talking about upgrading your entire business software suite - website, inventory management, etc.

What surprises me is that it appears that Ecellar had not updated their system to PCI compliance – which seems to be quite a liability if you are handling transactions for XXX businesses.

JIMCOH · June 11, 2015, 5:11pm

Pride just sent a notice as well.

The list is going to get longer.

Jody_Smith · June 11, 2015, 5:36pm

M. Sai:

J a y H a c k:

If they encrypt the data while at rest as well as while in transit, there is no risk so long as the encryption keys are kept on a system different from the system with the data and the keys are not compromised. The laws all provide a safe harbor for encrypted data. However, encryption of data while at rest is rare because all the bozos who hold data make the argument, which tech people have told me is BS, that encryption while at rest creates too many inefficiencies in using the data. However, they are not running on 8088 chip machines any more and I have been told that modern machines would cause a delay of a few milliseconds that would not be noticeable to decrypt the data so the data can be used. I have been insisting in contracts that service companies with data from bank clients agree to encrypt while at rest, but it is an uphill battle. So you tech guys have at it on that issue.

I think we’re talking apples and oranges here. Any business that takes CC information is going to be using a Gateway like Authorize.net or Paypal to run transactions. Computer systems (Retail POS, winery website/inventory management, etc) that take CC payments have strict guidelines on how the CC info is handled, which is dictated by PCI Security Standards: http://www.pcisecuritystandards.org

Without getting too technical – all systems are now expected to never hold CC info on their systems, but immediately pass it to the Gateway. The Gateway they are using hands back a unique token, which is what is stored in the merchant’s database. In the event of a hack, only a customer’s name and address info would be available – the token is only usable between the merchant and Gateway, so it’s useless to the hack.

The issue is most legacy systems were never designed this way – they would just hold the CC information in the customer database, sometimes encrypted but often not. And if you are a small business that is still using a legacy system, it’s REALLY expensive to upgrade. We are talking about upgrading your entire business software suite - website, inventory management, etc.

What surprises me is that it appears that Ecellar had not updated their system to PCI compliance – which seems to be quite a liability if you are handling transactions for XXX businesses.

I’m surprised this sector has not adopted two-step authentication. This seems the most logical (and much needed) application for it.

Jane_Crabill · June 11, 2015, 5:41pm

I’m doomed. I’m not only on the Scott Paul mailing list but I’m a retired Federal employee and I pay taxes to the IRS. Bank of America issued a new credit card some months ago due to a hacking incident, and I just got a new debit card from BB&T due to a fraudulent charge on my old card which I disputed. I probably had used the old debit card at Target sometime in the past and I know Target had a hacking problem. It really is aggravating. I think only one of my cards has a special chip to cut down on fraud. We need a solution to this!!!

Ethan_Abraham · June 11, 2015, 5:44pm

Larkmead

Nancy_Dolce · June 11, 2015, 5:48pm

Add Repris to the list.

Jody_Smith · June 11, 2015, 5:48pm

This was sort of my line of thinking Jay. MLN (B) has only the information needed to process a transaction. Theoretically, they could notify card holders via their billing address since they collect this info in the course of the transaction, but the winery (A) holds the customer’s email, phone, etc.

To Eric’s point, I suppose MLN could publish a list of it’s winery customers, but as I said previously, they may not be able to disclose that list. If I were a winery owner, I would probably want to reach out to my customers in my own words, and on my own terms.

Nancy_Dolce · June 11, 2015, 5:50pm

Repris

Mike_Evans · June 11, 2015, 5:51pm

According to Krebs on Security, Missing Link has implemented a token system in response to the breach.

The question is why they didn’t have this in place earlier.

J_a_y_H_a_c_k · June 11, 2015, 5:52pm

What you are saying, I gather, is that they did not properly encrypt an unencrypted data is what was stolen, which was my point. However, not that you have JPM Chase, Target, Home Depot and a bunch of other major companies with significant hacks, so they must not be encrypting either, or they have not safeguarded the encryption keys, as in writing your PIN on the back of your ATM card.

WBeck · June 11, 2015, 6:24pm

Add Martinelli to the list.

Eric_LeVine · June 11, 2015, 6:54pm

Jody Smith:

J a y H a c k:

If A has customer data that is compromised, A must notify. If B has data belonging to A’s customers, B must notify A and A must notify the customer. The reason it has to happen this way is that B might not, and in many cases should not (think a bank account) have sufficient data to notify the customer, they may only have two data points - name and SS# or credit card # - and they are unable to notify.

This was sort of my line of thinking Jay. MLN (B) has only the information needed to process a transaction. Theoretically, they could notify card holders via their billing address since they collect this info in the course of the transaction, but the winery (A) holds the customer’s email, phone, etc.

To Eric’s point, I suppose MLN could publish a list of it’s winery customers, but as I said previously, they may not be able to disclose that list. If I were a winery owner, I would probably want to reach out to my customers in my own words, and on my own terms.

Wait a week. Publish a list of wineries.