Network Solutions breach exposes nearly 600,000

Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.

Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.

(Credit: Network Solutions)

Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance, she said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added.

Credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside, Network Solutions wrote in an e-mail to merchant customers.

"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.

Network Solutions also is paying to have credit-monitoring specialist TransUnion help the merchants notify their customers according to data breach notification laws in effect in certain states. Affected consumers will get 12 months of free credit-monitoring services.

It's unknown how the malicious code got onto the system and where it came from, Wade said.

Merchants and consumers can get more information on the Care and Protect Web site Network Solutions has set up. "We really feel terribly about this," Wade said.

"We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said on a blog post on the customer information Web site. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."

The breach does not affect Network Solutions' other businesses, which include domain registration, e-mail hosting, and online marketing.

[gggg sssss]

ROTFLMAO. Netsol gets hacked.LOL Might as well go to godaddy at 1/6 the price

[VoiceOfLogic]

This is one reason why I will never do business with them again. The first, and most important reason that I will never trust those dipsh*ts again is that they took a domain name from me and gave it to someone else with the same name. if i knew then what I know today I would have filed a complaint against them with icann. i had to have my credit card charge backed out because - well, i didnt get what i paid for. I had owned that domain for well over 1 year and had recently renewed it when one day, it was someone else's with the exact name as me. The domain name was my proper name and no, there was no trademark issue. I dont have a name like Nike or Sony or anything like that. Just a regular ole name. The person that has it since is some fruitcake artist. So, fvck networksolutions and their high horse.

[mmccaull]

Why are these companies still in business? If they cannot handle securing user data, then they should be replaced by those that can...

[gerrrg]

So between Heartland's intrusion and Network Solutions' current report, over 150 million people may have been affected? To put it into perspective, that's half of the entire US population.

Maybe the DOJ could spare some of their investigators on the Google hunt, to go after these credit card fraud problems?

[Mergatroid Mania]

Wow

I'm really getting tired of saying this, but once again I have been proven right. Anyone who uses a credit card over the Internet is a fool. Actually, I still prefer the word "SUCKER".

The internet was never designed for and is still not secure for monetary transactions.

Just say no. The store really isn't that far away.

[T-Guy]

I don't know... If you're that concerned about credit card fraud, it's not like going to the store is secure either. Remember TJX? Just don't use plastic, period.

[tartis99]

Using your card over the web is just as safe as handing your card to some pimple face waitress at your local eatery.

[pentest]

The credit card data is not stolen in transit. It is stolen in the same place that data from in-store transactions are kept.

[Vegaman_Dan]

Here's a point of fact you may not know- it is common practice now in the industry for retail stores to no longer have in house servers for your credit card transactions. The sales terminal now communicates to the servers online... through the internet. The same databases that these stores use for online transactions are the ones they use for physical card transactions.

That means the shoes you bought at the local store may have just exposed your information in the same exact manner as an 'online' transaction.

There's a lot of companies that do this and it is rapidly becoming the norm due to ease of service, deployment, and adaptability.

Just because you use your card in person doesn't mean you're any less exposed.

[meandthefirst]

Just because they don't store information in house, does not stop a thief. An employee could have a card copier under the counter and overlook or place a camera and get their pin number.

[NoVista]

Easy for you to say. About the only way to get new U.S. book publications in many cases, in Australia ... is Amazon.

As for sucker, do you know who's reading your email?

[pjk0]

Personally I find it awfully disingenuous and obnoxious that a company like this goes out and registers a domain like "careandprotect.com", apparently for the sole purpose of fielding the backlash from this stupidity (domain registered 2009-07-21), which was obviously a result of the company NOT KNOWING WHAT CARE AND PROTECT MEANS.

I don't remember exactly which management team went with which scion after Network Solutions finally split with Verisign, but from the sounds of this escapade, it sounds like the people in charge of Network Solutions today are the same pompous nitwits who made me vow in the old days never to give another dime to this organization if I had a choice in the matter. (Once upon a time we did NOT have a choice, back when NetSol was the sole domain registrar. We can call that era the "dark ages" now...)

[gggg sssss]

at least they registered it with themselves. Probably without using a credit card though

[tinlizziedl]

This is why I have a $200 credit card that I use for online purchasing. I also keep tabs on all my accounts, entering receipts and balancing them once a week.

I've seen scams where I was charged only a few bucks ($3.52) by a company I had never heard of, contested the charge, and found out that they charged tens of thousands of people like that.

Now I know where they get my number.... Thank you, Elinor. I appreciate your "critical eye."

[regulator1956]

What's the big deal? My card was scammed for $1,850 by someone buying from Office Depot online. They shipped to this person without verifying his address.

My time was about 10 minutes. AmEx lost nothing since Office Depot screwed up.

Hopefuly, Office Depot gets their act together and stops shipping to addresses they can't verify.

To me, the 10 minutes I spent was worth the lesson to Office Depot.

[aazippo1]

Wow, that is pretty scary dude!

RT
www.anon-web-tools.tk

[inachu1]

I bet this data was not even encrypted.
Pretty sad they felt so secure.

[Vegaman_Dan]

Retail stores typically do *not* encrypt the data between the terminal and the receiving server. Once it's on the server it is encrypted, but that does little to prevent the man in the middle sort of exploit.

[omegajb]

I love how there will be no fallout with NS over this, a breech of this magnitude should have the fined by the government, this is the only way they will learn.
This is what scares me about online medical records, if companies cannot be trusted to protect financial information why would I think anything else could be.

[cloudmatt]

I like how they say they don't know how. I'd bet money it was some administrator/upper management kinda person that downloaded a free screen saver/game. If it was anything else they would have located fired then crucified by the media the party involved.

[regulator1956]

Possibly an Admin, but we're talking about a company that has 1,000's of servers. Upper management only has time to infect their laptops. They don't deal with the servers.

[Shashi-b]

Hi Elinor,

We appreciate your posting. The Network Solutions team across all levels within the organization has been working round the clock to promptly respond to customer concerns at www.careandprotect.com and we are working with law enforcement to conduct a full investigation.
Assuring the security and reliability of our services to customers is our most important priority. That said, we have examined what happened and have taken additional precautionary steps and will continue to do so.

Thanks,

Shashi B

[kwhatcher]

Just using simple white-list technology would have prevented this.. I just don't understand why sysadmins refuse to beleve that you CAN STOP unknown code from ever running on a system.

https://www.bluepointsecurity.com/products/enterprise

If someone lost my info because they failed to use simple technology like that (or something like SELinux if it is a linux box), I would not be a happy camper.

I do have to give props for proactively finding the issue. That doesn't seem to make the news often.

[raywkirk]

Didn't we hear the same lame BS from the same management idiots when they were called VeriSign and Screwed Up royally?
I agree with the prior posters.
We need to fine the livin' bazoozes outta these bozos.
If they fail, GOOD.

[thomasconsidine]

We all pay for this error. Office Depot, Heartland, Network Solutions all passes the costs of identity theft back on us. Over $60 billion was lost in 2008 due to identity theft and security breaches. Businesses ?DON'T? write off these losses, they pass them on to me and you as higher prices and fees.

The cost to every American is $196 dollars a year, have a spouse and 2 kids? Now you?re paying $784 dollars per year. Contact your legislator and ask them to introduce similar consumer protection laws as Massachusetts 201 CMR 17. This is the only type of law that will stop most forms of identity theft.