Aug 082013
 

From the this-doesn’t-sound-good dept.:

Smartphone Experts discovered that the system used for customer payments for online shopping had been hacked. Although stored customer data were encrypted, Diana Kingree, the Senior Vice President of Commerce, noted that the hacker may have been able to use a decryption feature of the system to view customers’ names, addresses,  credit or debit card number, CVV, and card expiration date.  Why all that information was even stored on the system or for how long it was stored was not disclosed [See UPDATES below for answers to those questions].

The breach was discovered by the Florida-based e-tailer on July 12, but  the firm does not indicate how it learned of the breach or, more importantly, perhaps, when the breach actually occurred.  California’s breach submission form requires entities to report the date of breach if known.  Smartphone Experts did not provide that information, which may indicate that the forensic investigators have yet to determine when the breach actually began.

In their notification letter to customers dated August 6,  Smartphone Experts  does not offer customers any free credit monitoring service. Indeed, they say they are notifying customers “out of an abundance of caution.”  Not only do I disagree that  notification is “an abundance of caution” for this situation, I think affected customers should have been offered some free credit monitoring services.

NOTE to those seeking information on this incident:  Smartphone Experts has 4 stores in the US: ShopAndroid, ShopCrackBerry, iMoreStore, and WPCentralStore. They also have 2 stores in Canada: Crackberry Canada and  BlueShop.

Update 1:  Some customers are reporting in the Comments section that they became victims of card fraud that they believe is attributable to this breach. Obviously, this blog cannot confirm the source of any particular fraudulent charges, but if you are notified of this breach, do check your credit reports and take steps to protect yourself.

Update 2: There are also a number of fraud reports on Smartphone Expert’s web site where they posted a copy of their notification that contains more details than the one I linked to above.   As I noted in my blog entry, “abundance of caution” my left foot.  While each fraud report needs to be investigated, if there are many of them, Smartphone Experts should be offering consumers fraud protection and identity theft restoration services, in my opinion.

Update 3: According to additional information posted on Smartphone Expert’s forum, the vulnerable period for exposure was between April 25, 2012 and July 12, 2013, so it was a long-running breach. The breach did not affect customers who made payments by credit card through PayPal Express Checkout.The store team also explained that:

CVV was always purged post-authorization. However, because the hackers may have been able to access some data from orders in pre-authorization stage it was prudent to include that in the notification.

A copy of the email sent to Canadian customers can be found here.

Update 4:  545 New Hampshire residents are among those being notified of the breach.

Update 5:  3,601 Maryland residents are among those notified of the breach.

  27 Responses to “Smartphone Experts notifies customers of hack (Update 5)”

  1. I am actually amazed every time I see a site that stores the CVV, when it is actually forbidden by the PCI-DSS requirements (section 3.2.2).

    • I’m no longer amazed, but I continue to feel frustrated.

      Smartphone Experts has 4 stores in the US: ShopAndroid, ShopCrackBerry, iMoreStore, and WPCentralStore. They also have 2 stores in Canada. If we look at the privacy policy for ShopAndroid, we read:

      With respect to security: We always use industry-standard encryption technologies when transferring and receiving sensitive consumer data exchanged with our site, We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site.

      If you feel that this site is not following its stated information policy, you may contact us at the above addresses or phone number, state or local chapters of the Better Business Bureau, state or local consumer protection office, The Federal Trade Commission by phone at 202.FTC-HELP (202.382.4357) or electronically at http://www.ftc.gov/ftc/complaint.htm.

      So I note that they don’t state they are PCI-DSS compliant.

      • Same thing here. Made a purchase on Jne17,2013 and was informed by my bank that someone had tried to make a $330 payment in London. Transaction was declined because of location. Card cancelled and new one received. What a crap company.

  2. I got this letter in today’s mail. Fortunately, the credit card company I use watches for suspicious activity and noticed the misuse of the card I used on ShopAndroid’s site–it happened earlier this week so the letter was too late. I think they should have been more diligent in getting this information to people who may have been affected–an e-mail would have been faster and they could have sent a letter later if the law requires it.

  3. I received the letter today but have yet to see any unauthorized charges on my card.

    I don’t know why they can’t just keep the CC information temporarily for processing payments and then have it removed from the database. They should at least provide the option to not have your info stored.

  4. I also received the letter. At first I didn’t know who Smartcard Experts was so I tried calling the number given in the letter for inquiries. After being placed in their automated hold queue for 35 minutes, I finally hung up. When I did a search for them on the Internet, I see they have an Android accessory online store as one of their businesses. I made a purchase from them on 6/6 and my credit card received an unauthorized charge for $800 from a bogus business on 6/28. My bank credited the money back, cancled my card and issued me a new one. Smartphone experts are obviously not experts with cyber security and customer service. They had totally inadequate security, an extremely late response and a horrific inadequate remedy (take advantage of your free credit report from the big 3). I would not recommend anyone do business with this lousy company.

  5. Got the “July12, 2013 Hacked” letter, on August 9, 2013. One day prior, on August 8, 2013 there was an illegal/unauthorized purchase using my card and information on for $399.09 on Walmart.com. Immediately cancelled card, notified both my bank and Walmart.com. I live in CA, purchase was scheduled to be delivered to VA. Such a pain and frustration!! The letter was too little too late!

  6. I bought something from them for my android phone in early July, today I was called by the card company for fraudulent use of my card at two different websites. Luckily my credit card company was alert on this. I will be calling the number on the letter I received from Smartphone Experts

  7. On December 10,2012 I made a purchase from ShopAndroid. One month later, Jan 28, 2013, I had two fraudulent charges on my debit card. I am in Texas and someone in France used my card # to purchased items in Spain totaling just over $2000. I was notified by my bank in time to stop a 3rd charge. It took over a month before I got a refund and I canceled my debit card. I am guessing that they just found out about this problem.

    • I’m glad you acknowledge you’re guessing, as they haven’t disclosed when the breach first occurred, and for all we know, it may have been a matter of days or weeks. Have you contacted them to ask if the fraud you experienced could be due to their breach? If you do contact them and get more info about when the breach first occurred, please share it here.

      • Shortly after posting here, I forwarded the url of this thread to the fraud dept of USAA and suggested that they search transactions for the 6 retail stores run by SmartphoneExperts and correlate any transactions with fraud reports by their customers. The called my to confirm two transactions but I didn’t get to my cell phone in time and when I returned their call they (USAA) had approved two of the purchases and the party attempting to make the 3rd transaction was denied.

    • OK, from additional information on the window now available, it seems that your purchase was within the window where it may have been compromised by a purchase on their site. And yes, they discovered the problem in July of this year, even though it may have begun in April 2012.

  8. I received the letter and can’t figure out why. When I checked out the company I couldn’t remember ever buying anything on line from their affiliates. Are they sending this to everyone who has a Droid who made an online purchase from anyone – ever?

  9. I got the letter yesterday, checked my credit card web site and sure enough had an unauthorized charge on the 7th of August. Now I am without my card until the replacement get here.

  10. The “Dear customer name” notice letter sated that they learned of the breach on July 12, 2013 however it took until August 7 to send me a letter. Specifically it stated and I quote;

    “On July 12, 2013, we learned that a hacker gained access into the computer system we use to process payments for purchases made on our website. We immediately implemented measures to prevent any further unauthorized access and engaged a leading data security firm to complete the investigation”

    The offer to monitor my credit only annually seems to be too little too late. Cancelled the card and share the concerns of those that posted above. I understood that each state has statutory requirements for data breach notification as well as penalties associated for non-compliance. If there is a hungry attorney out there this may be an opportunity to certify a class, as likely many individuals are impacted!

    Regards,

    Thomas

    • Did they actually offer you free credit monitoring services? If so, by whom? The notification letter I had seen did not make that offer.

      • I got the letter, mail only, and called them. I had a Shopandroid.com purchase on a seldom used card that had to be shut down a day after the purchase for fraudulent charges.
        Little sympathy about my card shutdown while travelling.
        A flat “NO” on credit monitoring. “Since SSN’s were not hacked, your credit is not at risk, and Smartphone Experts will not provide or pay for monitoring”
        Pleae, @Dissent, tell us if they said otherwise to you!
        Thanks.

        • There have been numerous cases that involved credit card numbers, but not SSN, where the entities offered those affected identity theft monitoring services. These days, about 50% of breaches result in offers of ID theft monitoring even though less than 15% of breaches in OSF’s database involve SSNs.

          From a PR standpoint, I think they’ve erred by not offering affected customers some services at their expense. Right now, at least some customers seem to be left with just a really bad experience and the sense that the company doesn’t really give a damn about what it’s put them through. That alone can cause customers to flee (called “churn”). When entities offer customers some services, customers may be less likely to leave. Then too, it might cost less to offer some services than to defend against a lawsuit by angry consumers. Many such lawsuits get thrown out for lack of demonstrated harm, but if SPE customers incurred charges on their debit cards that weren’t reimbursed by the banks, that would likely satisfy the “harm” requirement and give them standing.

          Alternatively, consumers might get angry and file a complaint with the FTC. SPE states “We always use industry-standard encryption technologies when transferring and receiving sensitive consumer data exchanged with our site, We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site.” Did SPE have reasonable security in place to detect the hack that occurred in 2012? And is it “industry standard” to store the decryption key where the hacker could get to it? I don’t know the answers to those questions, but those are just two of the questions I’d be asking.

          I think SPE has done a relatively good job on breach response by having the Store Team monitor their forum and respond to consumer questions. That helps, but I don’t think it’s enough where you’ve had a long-running compromise and people are reporting fraud and inconvenient card cancellations.

  11. Seems a Canadian got nailed as well from the Canadian site(s). He speaks about it a little bit here:
    https://secure.dslreports.com/forum/r28549017-Crackberry-Canada-and-BlueShop-data-breach

  12. Made my Purchase in April 2012, Hacked in July 2012, notified 13 months later, good security system.

    Does CISO mean “Career Is Seriously Over!” ?

    No offer for credit monitoring or anything, cheap cheap cheap ! any reply Smartphone?

    crickets crickets crickets, I thought not.

  13. Thanks to your article I was able to learn of the companies these purchases were sold under. I searched my email and found the purchase and learned the card number. Thanks to other unauthorized purchased, the card number was already retired.

    Thanks again.

  14. There’s a bunch of complaints about this on the android channel also:
    http://forums.theandroidchannel.com/topic/658-online-accessory-retailer-smartphone-experts-announces-credit-card-theft/#entry6001

    This is absurd. Never buy from them again!

  15. If we can prove fraud to our personal accounts, is a class action suit in order? This is called negligence.

    • Based on my reading of lawsuits and their outcomes – and keep in mind, I am not a lawyer – you stand a better chance if there were actual fraudulent charges AND your bank did not restore the funds to your account, i.e., if you incurred unreimbursed costs.

Sorry, the comment form is closed at this time.