Sourcebooks suffers credit card data breach (update2)
Dave Lewis writes:
It wouldn’t be a Friday afternoon without a company sharing that they had suffered a data breach. Normally, I’m the first person to be sympathetic in this type of situation but, I have seen enough of these Friday disclosures that I’m starting to call bull spit on these.
Just “starting,” Dave? What took you so long? @IDexperts and @PogoWasRight have been snarkily commenting on these Friday afternoon disclosures for well over a year now.
In any event, as to the Sourcebooks breach, you can read Dave’s coverage on CSO. By today’s standards, a 4-month delay between discovery of the breach and notification is considered long.
Sourcebooks had submitted a copy of their consumer notification letters to the California Attorney General’s Office for their Sourcebooks and for PutMeInTheStory sites (you can access their notification letters here and here). As Sourcebooks CEO and owner Dominique Raccah writes:
Sourcebooks recently learned that there was a breach of the shopping cart software that supports our website, putmeinthestory.com, on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach.
Neither site has any consumer alert or notification on it, which is not that unusual, although I do wish sites had to prominently post such notifications as HIPAA-covered entities may have to do.
UPDATE of 10-24-14: Brian Krebs reports that approximately 5,100 customers were affected.
UPDATE of 10-28-14: The incident was reported to the NH Attorney General as affecting 5,204.