Updated at 9 p.m. PDT with more details from a Symantec representative.
Symantec is investigating allegations that a call center in India leaked credit card numbers of its customers to someone who then sold them to BBC News reporters posing as criminals.
The security company has informed U.K. privacy authorities and attorneys general and officials in eight U.S. states and Puerto Rico of the allegations that three U.K. customers had credit card information leaked and that about 200 U.S. customers may have been affected because of interactions with the call center, Symantec spokesman Cris Paden said Tuesday.
"We nailed it down to one agent at the call center" who handled the Symantec customers, he said. That agent was put on administrative leave pending the outcome of the investigation, Paden added.
In addition to Puerto Rico, the states contacted were New Hampshire, Maryland, New Jersey, Maine, Massachusetts, New York, Virginia, and North Carolina, Paden said.
It was unclear exactly how the data of the three U.K. customers got from the call center into the hands of the man who the BBC News said sold the credit card numbers. Nor was it clear whether any data from the U.S. customers was leaked. Paden said there is no evidence that any U.S. data was exposed.
In a letter to New Hampshire Attorney General Kelly Ayotte dated March 24, the security vendor said it is "investigating a potential security incident involving a small number of customers' credit card information."
The letter said Symantec was sending a notice to a customer in New Hampshire who may have been affected by the alleged incident, even though the company does not believe a security breach, as defined by New Hampshire statue, had occurred.
The company added that even though it has no evidence that credit card information of any U.S. resident was actually compromised, it is offering its customers one year of identity protection services through Debix as a precautionary measure and reviewing its "security processes and third-party vendor protocols."
The BBC News reported on March 19 that undercover reporters posing as fraudsters had gone to Delhi to buy 50 credit card numbers, at $10 a card, from a man who claimed to have gotten them from a call center. They filmed the interaction. The man denied any wrongdoing, the BBC said.
When the reporters contacted some of the card owners, three of them said that they had bought Norton software from Symantec over the phone using their credit cards.
Symantec has set up an e-mail address for customers who want more information: global_purchase_query@symantec.com.
The BBC recently got flak for purchasing a botnet and using it in some tests to show the dangers that Web surfers face.
The IDG News Service is believed to be first to report on the Symantec letters.
Updated April 1to clarify which media outlet is believed to have first reported the news.
To demonstrate the threats from botnets, the BBC purchased a network of 22,000 infected computers, used it to spam its own e-mail accounts and for a denial-of-service test, and then left messages on the hijacked computers that they were infected.
The BBC's Spencer Kelly discusses how the BBC's botnet spammed two e-mail accounts the company created as a test.
(Credit: BBC)The BBC's Click technology program said it acquired the "low value" botnet after visiting Internet chat rooms and used the network to spam a Gmail and Hotmail account it created for the spam test. It demonstrated the test in a video that accompanies a BBC article about the expose on Thursday.
The e-mail accounts received thousands of spam messages within hours, the video says.
The botnet also was used in a distributed denial-of-service attack on a test site owned by security company Prevx. After the demo attacks were complete, the BBC left messages on the infected computers used in the botnet telling them they were infected and offering information for how to secure their systems, and then disabled the botnet, the company says.
No personal information was accessed on the infected PCs, the BBC said. "If this exercise had been done with criminal intent it would be breaking the law," the article said.
However, a European law firm says the BBC may in fact have broken the law despite its good intentions.
The BBC violated the Computer Misuse Act by acquiring and using the software to control the botnet, according to Struan Robertson, a technology lawyer with Pinsent Masons and editor of the firm's Out-Law.com site.
"It does not matter that the e-mails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorized access to a computer," Robertson said.
"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an e-mail is likely to satisfy that requirement," he wrote. "It also requires that the access is unauthorized--which the BBC appears to acknowledge."
Robertson said it is unlikely the BBC will be prosecuted because its action probably caused no harm.
Robertson notes that the BBC said on Twitter that it had consulted with lawyers before it acquired the botnet and took action.
A flood of e-mails pretending to be from MSNBC contain links to malicious software, security companies warned Wednesday.
According to an MX Lab blog post, subject lines always start with "msnbc.com - BREAKING NEWS" then are followed with a variety of possible headlines, including: "Google launches free music downloads in China"; "Plane crashes into prep school, hundreds of kids killed"; "Please give your opinions for change"; and "US Dollar hits 6-year high, further gains expected."
The Web address http://breakingnews.msnbc.com is valid if you type it into your browser; however, clicking the link within the body of the e-mail will take you to another site entirely. The bogus site will then ask you to download a Flash video file. It is the file adobe_flash.exe that contains a malicious Trojan horse.
Sophos and Websense also issued warnings about the e-mails. Earlier this month, Sophos warned that fake CNN Top Ten e-mails contained a similar Trojan horse. In 2006, the BBC was used in a similar attack.
Disclosure: CNET News is published by CBS Interactive, a unit of CBS.
- prev
- 1
- next
