Midwest Supplies Security Breach

[russki]

This was posted on HBT over the weekend by Midwest Supplies:

Recently we learned that despite our best efforts the security of our website was breached by an outside party. For certain types of transactions, this breach may have resulted in the outside party being able to capture and use customer credit card information entered at the time of the transaction. When we identified the breach, we immediately secured our servers, hired a technical team to investigate and help resolve the situation, notified the credit card companies and law enforcement, and obtained legal counsel specializing in computer hacking to help us navigate the very specific legal notification requirements for all 50 states. At this time, all of the notifications have been made, and letters have been sent to all customers that may have been impacted. We regret not providing an update sooner, but we did not want to comment publicly until our investigation was complete and we were able to identify and notify those potentially affected.

Our investigation has now been completed and we are satisfied that the situation has been resolved and that all affected customers have been identified. We have also implemented extensive steps to prevent this kind of incident from happening again. In addition, we sent a letter to each customer who may have been impacted, notifying them of the incident and providing our sincere apology and a credit for $25 worth of homebrewing or winemaking supplies. If you have any questions or concerns please contact our customer service department by phone at 888-449-2739. Rest assured that if you were not contacted you were not among the customers impacted.

We have spent many years working to earn your trust and loyalty. And we recognize an attack like this can undermine that trust. As one brewer to another, you can rest assured that we won’t rest until you’ve brewed your best.

David Kidd

President
__________________
Beer and Wine Making Supplies since 1995
http://www.midwestsupplies.com

I placed an order with Midwest back in June, and had unauthorized charges to my credit card. I have not received any communication from Midwest as stated. Anyone else had this happen?

[RickBeer]

That's a major cluster*&^@. PCI requirements are that the credit card numbers be encoded and NOT stored, so they were violating that. The number gets stored at the credit card processor, NOT at the merchant.

Lawsuits coming. Hope the new owners are ready for them.

[russki]

That's a major cluster*&^@. PCI requirements are that the credit card numbers be encoded and NOT stored, so they were violating that. The number gets stored at the credit card processor, NOT at the merchant.

Lawsuits coming. Hope the new owners are ready for them.

They were not stored; according to some other documents posted on HBT, their server was injected with malware that forwarded CC#'s (and other personal info) as they were entered during an order placement to an unknown third party.

[RickBeer]

Wow. Not good at all.

[gwcr]

Not good to hear that. Thanks for bringing it to our attention!

[jivex5k]

Damn...
I hope you get some communication at the least, and a bigger gift card than $25 which won't buy much from a homebrew store.

[RickBeer]

Most companies that have this happen offer their customers a credit monitoring service for a period, usually a year. Midwest is only offering the future discount.

[Gymrat]

I have always used my paypal account with them. It has a lot to do with why I shop there.

[RickBeer]

For those that aren't aware, SOME credit cards allow you to create a safe number to use for a purchase or purchase(s). One brand is called ShopSafe, which is used by Bank of America. It's free to card holders, you log on the site, tell them you want to make a virtual number, and after verifying your identify it makes a number. You pick a credit limit and an expiration date, and you're all set. You can change the limit in the future also.

It's great for sites that need a credit number (i.e. Google Play Store) but you don't ever want to buy - set a $1 limit.

It would help in this case, they'd have your name, address and a virtual credit card number with a set limit that you could go in and nuke right now. Then they'd just know who you are.

Of course are credit card providers cover our losses, but you have to go through the trouble of getting a new number and then changing all your automatic payments. With a virtual number like one from ShopSafe, you wouldn't have to do that.

[LouieMacGoo]

Im going to make this a global sticky for the next week. I think this important information for people to see in case they are affected!

[Tabasco]

Crap! I just bought two corny's a week ago!

[russki]

Crap! I just bought two corny's a week ago!

I think they have fixed the problem by then. Most people affected seemed to have placed orders in June.

[RickBeer]

Seems like they had to get their legal ducks in a row before they went public with it.

[jimjohson]

that's good know information RickBeer. thanks

[DaYooper]

Just got my $25 gift card and cant complain. For a credit card you simply need to dispute and if its a problem they will handle it. Cant complain as they didn't have to do that and a show of good faith. If you can hack into NASA, etc, who is to blame a small company. Kudos to them with handling this.