Banking institutions and their customers need to be aware of a new online retailer data breach.
New York-based clothing and shoes retailer Opening Ceremony has reported a breach of its global online boutique that likely compromised payment card details of customers who purchased products online between Feb. 16 and March 21.
"Unfortunately, the hacker may have accessed the names, addresses, and credit card information of customers who purchased an item on our website during this period," writes Opening Ceremony CEO Carol Lim in a May 4 letter sent to affected customers. "We are notifying you so that you can be aware of this situation and take steps to protect yourself from any harm, including contacting your bank and/or credit card company."
Lim says malware was discovered on the e-commerce site March 21 and was immediately removed. Additional security controls also have been added, she says, to prevent future attacks. The letter does not mention an offer of free credit protection, but it does direct consumers to ID Experts, the breach prevention and response firm Opening Ceremony hired to investigate the incident.
ID Experts is assisting affected cardholders with identity theft tips and advice, says Kelly Stremel, an ID Experts spokeswoman. But she declined to offer additional details about the breach.
Opening Ceremony has yet to provide details about the number of accounts exposed and exactly how the breach occurred. No information about the breach is available on Opening Ceremony's website, and calls to Opening Ceremony were not returned.
PCI Compliance Questioned
PCI security expert and Gartner research director Anton Chuvakin says card details were likely unencrypted and stored on the site.
"The bit that caught my attention in this letter is that credit card information was exposed," Chuvakin says. "There are really only two scenarios that would allow the actual card numbers to be stolen: either from a database on the back end, which means the retailer was in violation of PCI-DSS, or the hacker could have launched something on the site to get the numbers after they were transmitted."
The latter, Chuvakin says, is much less likely. As a small e-commerce site, categorized under Level 2-4, Opening Ceremony does not have to undergo an audit by a qualified security assessor to validate compliance with the Payment Card Industry Data Security Standard. Instead, the card brands allow smaller e-commerce merchants to self-assess. Chuvakin says those self-assessments are often nothing more than checklists of security measures the online retailers never take.
"E-commerce sites are more vulnerable when they don't take PCI seriously," he contends. "Everybody who is involved in PCI-DSS probably knows a merchant that just entered 'yes' to everything, without really doing a thorough job of checking for compliance."
In January, a similar breach at another online retailer, Zappos.com, affected an estimated 24 million accounts. That incident exposed customer names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of payment card numbers. Scrambled passwords also were suspected of being exposed.
Chuvakin notes Opening Ceremony's acknowledgment that malicious software was discovered on the site, but says he believes the retailer was out of compliance. "The attacker was probably able to attack unencrypted card numbers," he says. "But given the lack of details, it's hard to say for certain."
Merchants' and processors' failure to comply with PCI is an ongoing security concern.
The Opening Ceremony breach comes on the heels of the highly publicized breach at payments processor Global Payments that is believed to have exposed 1.5 million debit and credit accounts. Global Payments has since been removed from Visa's list of compliant processors.