March 5, 2001 4:50 PM PST
Hack at Amazon-owned service exposes thousands
Waltham, Mass.-based Bibliofind, which links buyers and sellers of hard-to-find and out-of-print books, discovered last week that a hacker had broken into its Web servers sometime in October and had continued to access the company's site since then, Bibliofind spokesman Jim Courtovich said. The hacker downloaded customer records from the site, including customers' names, addresses and credit card numbers, Courtovich said.
In response to the discovery, Bibliofind, a wholly owned subsidiary of Amazon, shut down its Web site Friday and removed customers' credit card information and addresses from its servers, he said. Courtovich declined to say whether Bibliofind had identified a suspect in the attack, saying only that the company notified the Federal Bureau of Investigation, which is looking into the matter.
"Bibliofind has just learned of a security violation on its site that compromised the security of credit card information used on Bibliofind's servers," the company said in an e-mail message to customers. "We are working to bring the Bibliofind service back into operation shortly. We apologize for any inconvenience this may cause you."
Although Bibliofind has notified credit card companies of the attack, the company does not have any indication that the numbers have been used, Courtovich said.
The fact that a hacker had access to Bibliofind's records for four months without Bibliofind discovering the breach is simply a case of the company not keeping a good eye on its site, said Richard Power, editorial director of the Computer Security Institute. With that much time and access to Bibliofind's systems, the hacker could possibly have found much more than customer records; he might have been able to find a backdoor into Amazon.com, Power said.
"It's going to take awhile for them to figure out how much damage was really done and who else may have been compromised by being connected by their sites," Power said.
Amazon spokeswoman Patty Smith said the Seattle-based e-tailer's servers were not affected by the attack on Bibliofind. Amazon does not share customer information with Bibliofind and no Amazon customer information was compromised by the breach, she said.
"They operate on different platform than what our server is running on," Smith said. "The integrity of Amazon's systems was never in question."
The Bibliofind breach is only the latest in a string of security breaches at leading e-commerce sites. A breach at Columbia House's Web site left open some 3,700 customer records last month. And in January, a security hole at Travelocity.com exposed the personal information of up to 51,000 customers.
Meanwhile, a breach at Egghead.com in December potentially exposed all of its 3.7 million customer database.
By shutting down its Web servers, Bibliofind also closed down access to Musicfile.com, which shares the same server as Bibliofind. Musicfile's customer records were not affected by the breach, Courtovich said. Bibliofind went back online Monday afternoon.
Amazon acquired both companies when it bought Exchange.com in April 1999.