Red Card! MLSGear.com Shoppers Exposed To Identity Theft

Computerworld is reporting that “a series of SQL injection attacks” on a third-party e-commerce company’s servers has compromised the personal data of customers who shopped at Major League Soccer’s MLSgear.com website. One affected customer told us he received a letter from MLSgear.com letting him know what had happened and offering him free credit monitoring services for a year, which is apparently the standing corporate response to personal data theft.

Bob writes:

I purchased a shirt from MLSGear.com a few months ago. I just received a letter from Mark Abbott, President of MLSGear.com letting me know that their third party ecommerce vendor got hacked and my data may have been accessed…or not.

Anyway, it seems they canned their third party ecommerce vendor, and they are offering free credit monitoring services for the next year.
I wish my data was not compromised to begin with, but I will take the monitoring service. I am glad they are standing up and taking the responsible action. (would they if there were no laws?)

As security breaches go, this one hit a small number of people—169 New Hampshire residents according to the article—but “security analysts expect such attacks to become increasingly common because a large number of Web sites are vulnerable to them.”

In recognition of that, the major credit card companies in July will begin requiring retailers and other merchants that accept payment cards to either install a firewall in front of all Web-facing applications or submit custom application code to an outside security firm for a vulnerability review.

“Soccer league’s online shoppers get kicked by security breach” [Computerworld]

Comments

Edit Your Comment

  1. Juliekins says:

    This one got me too. I bought a pair of socks there about a year and a half ago. Fortunately, the CC I used has since expired, but I went ahead and took advantage of the credit monitoring offer anyway. Now I’m beginning to wonder if this breach wasn’t the reason someone changed my billing address for me on that card a couple months after I bought the socks…

  2. KernelM says:

    either install a firewall in front of all Web-facing applications or submit custom application code to an outside security firm for a vulnerability review.

    That really should be and, not or. All the firewalls in the world don’t matter if the app is itself vulnerable.

  3. bublite says:

    @KernelM: The requirement is to install an application firewall, not a network firewall. A proper network firewall would have caught this issue.

  4. matt1978 says:

    Well, it’s fortunate that only 5 or 6 people were affected. Get it? Who cares about soccer. This is ‘Merica!

    Give me my Outback Ranch Explosion Sauce Fries.

  5. matto says:

    but are they now taking it seriously?

  6. Lazlo Nibble says:

    @matt1978: There’s a lot to be said for a game that doesn’t let the network call time-outs for commercial breaks.

  7. humphrmi says:

    @KernelM: Yeah, it scares me a lot that companies like Visa and MC are “protecting” us with things like firewall requirements (which may not do any good) and “credit monitoring”. It shows that they are neither technically or financially astute, since neither will stop identity theft.

  8. Juliekins says:

    @humphrmi: If you’re interested, you can read all 12 of the requirements in the Payment Card Industry Data Security Standard here. They go into a great deal more depth than that in other docs, but suffice it to say Visa, MC, and the other CC companies get pretty specific when it comes to the regulations they place on companies that store, process, or transmit credit card data. That’s not to say they’re always successful, or anywhere close–but they can and do fine the shit out of people who aren’t compliant.

    If a company does everything the PCI DSS says to do, they’ll be in pretty good shape security-wise. It’s never perfect, of course. From a business perspective, it’s far better to conform to the standard so that in case of a breach the business can show it’s done its due diligence.

    PCI actually specifies a list of software vendors that are approved for use under the standard. I’ve seen this list (we’re working on this where I work) but I’m not sure I could lay my hands on it. Having read through the standard quite a few times and witnessed the consequences of non-compliance, I’m kind of amazed that people even use custom shopping cart apps any more. Any time the code changes, it has to be audited. That’s expensive. Combine that with the expense of quarterly vulnerability scans and annual pen tests and the cost of a pre-fabbed PCI-approved software looks a lot more cost-effective all of a sudden.

  9. aikoto says:

    It’s crap. Monitoring is an outright scam and they only offer it to look like they’re doing something about the problem when they’re really not.

    Credit freezes are the only way to actually protect your credit. Relevant links:

    [www.jeremyduffy.com]
    [www.jeremyduffy.com]

  10. mobbo says:

    @matt1978:
    LOL you’ve obviously never been to a Houston Dynamo game or a USA vs. Mexico game.

  11. Murph1908 says:

    You should be supporting the MLB or NFL instead of them. Anyone who buys MLS gear is getting what they deserve.

    /end obligatory “my product/service/company/credit union is better than your product/service/company/bank comment.

    10 posts before someone ragged on the OP’s choice? Needed to be done.

  12. NoWin says:

    @FitJulie: Excellent post.

    I cases as this, it’s NOT Visa/MC that screwed up, it was the merchant and their poor/incomplete security procedures in their own charge-card processing.

    This is the consumers opportunity to rag big-time on the merchant (e-mail blast, snail mail, etc) on their failure to protect “their customer’s” data; EECB them when needed or warranted, and vote with your feet when appropriate.

  13. Juliekins says:

    @aikoto: I agree that paying for credit monitoring is a giant waste of money. I actually dumped my old bank for trying to sell monitoring services to me! In this case, however, MLSGear.com is footing the bill, so I’m going to take advantage of it.

    I’m also taking other actions; I plan to file fraud alerts on my credit reports and file a complaint with the FTC. I’ll file a police report if anyone actually uses the information they stole as well.

  14. m4ximusprim3 says:

    @FitJulie: Footing the bill! Brilliant! You know, because you play soccer with your foot! I like what you did there!

  15. soccer123 says:

    We had fraud on our credit card after making a purchase at two internet sites in July 2006; one of these was mlsgear.com. In December 2006 we had another instance of credit card fraud but this time the only site we had recently made a purchase was mlsgear.com. I called them immediately because both cases must have been due to them. I was told by customer service that it was impossible because “they are a secure site”. I demanded to speak to a supervisor which I eventually got. She finally believed me because another customer had called the same day. Now, 14 months later they are finally recognizing that they have a problem?