Smartphone Experts notifies customers of hack (Update 5)

From the this-doesn’t-sound-good dept.:

Smartphone Experts discovered that the system used for customer payments for online shopping had been hacked. Although stored customer data were encrypted, Diana Kingree, the Senior Vice President of Commerce, noted that the hacker may have been able to use a decryption feature of the system to view customers’ names, addresses,  credit or debit card number, CVV, and card expiration date.  Why all that information was even stored on the system or for how long it was stored was not disclosed [See UPDATES below for answers to those questions].

The breach was discovered by the Florida-based e-tailer on July 12, but  the firm does not indicate how it learned of the breach or, more importantly, perhaps, when the breach actually occurred.  California’s breach submission form requires entities to report the date of breach if known.  Smartphone Experts did not provide that information, which may indicate that the forensic investigators have yet to determine when the breach actually began.

In their notification letter to customers dated August 6,  Smartphone Experts  does not offer customers any free credit monitoring service. Indeed, they say they are notifying customers “out of an abundance of caution.”  Not only do I disagree that  notification is “an abundance of caution” for this situation, I think affected customers should have been offered some free credit monitoring services.

NOTE to those seeking information on this incident:  Smartphone Experts has 4 stores in the US: ShopAndroid, ShopCrackBerry, iMoreStore, and WPCentralStore. They also have 2 stores in Canada: Crackberry Canada and  BlueShop.

Update 1:  Some customers are reporting in the Comments section that they became victims of card fraud that they believe is attributable to this breach. Obviously, this blog cannot confirm the source of any particular fraudulent charges, but if you are notified of this breach, do check your credit reports and take steps to protect yourself.

Update 2: There are also a number of fraud reports on Smartphone Expert’s web site where they posted a copy of their notification that contains more details than the one I linked to above.   As I noted in my blog entry, “abundance of caution” my left foot.  While each fraud report needs to be investigated, if there are many of them, Smartphone Experts should be offering consumers fraud protection and identity theft restoration services, in my opinion.

Update 3: According to additional information posted on Smartphone Expert’s forum, the vulnerable period for exposure was between April 25, 2012 and July 12, 2013, so it was a long-running breach. The breach did not affect customers who made payments by credit card through PayPal Express Checkout.The store team also explained that:

CVV was always purged post-authorization. However, because the hackers may have been able to access some data from orders in pre-authorization stage it was prudent to include that in the notification.

A copy of the email sent to Canadian customers can be found here.

Update 4:  545 New Hampshire residents are among those being notified of the breach.

Update 5:  3,601 Maryland residents are among those notified of the breach.

About the author: Dissent