Online payment firm Ecount thwarted a hacker's threat that he would publicize customer information unless the firm paid him an unspecified amount of money.
The hacker accessed Webcertificate.com accounts from Ecount's servers last month, apparently believing the accounts contained credit card information. Of about 750,000 members, 25 accounts were accessed.
Instead, the accounts likely contained only customers' e-mail addresses, Webcertificate numbers and possibly passwords, said Matt Gillin, CEO of Ecount.
Ecount, Conshohocken, PA, operates Ecount.com and Webcertificate.com. Both sites offer online payment services via MasterCard-branded stored value cards. The services let consumers make online purchases without exposing their credit card numbers or other financial information.
Though Ecount executives could only confirm that 25 accounts were accessed, they issued new account numbers and passwords to all members and blocked former numbers.
“You're receiving this new account number as a security precaution because we have reason to believe that some Webcertificate account information may have been inappropriately accessed,” an e-mail to Ecount and Webcertificate customers read. “Before making these changes, we evaluated your transaction history and confirmed that your account has been used properly and only by you.”
Ecount customer services also phoned some customers who could not be reached by e-mail with the new account information.
Gillin does not know exactly what customer information the hacker obtained. However, he said the extortion attempt failed because the hacker did not obtain credit card information and, rather than give in to his demands, Ecount executives immediately contacted the FBI. The hacker did not specify how much money he wanted in exchange for not publicizing the customer information, or how he would publicize it.
“Basically, he failed because we never have, nor will, store credit card numbers,” Gillin said.
Credit card data is likely the information the hacker thought he had, Gillin said. Webcertificate numbers look similar to credit card numbers, he added.
Ecount also brought in experts from Ernst & Young's Fraud & Security Unit to help identify weaknesses in its servers. Ecount has since added security features to its servers, which Gillin declined to detail, to “make sure this can't happen again.”
Gillin does not think Ecount will lose customers over the hack.
“We never considered keeping it quiet, and so far, our customers have expressed appreciation … for us being very forward and upfront,” he said. “My sense is that they viewed it as a clear indication that their trust and security is our top priority.”
“The reality is, next time you logged onto your Webcertificate, you would have seen a new number there and would never be the wiser, but we wanted to make sure we were very proactive in our communication,” he added.
Gillin is using the foiled extortion attempt to generate positive PR for Ecount's online payment system.
“This attack is a perfect example of why consumers concerned with credit card theft over the Internet should seriously consider using Ecount payment products,” he said in a statement from the company.
Meanwhile, the FBI continues to investigate the incident. Ecount was not a specific target of the hacker, who is likely part of a group of sophisticated hackers that attempts credit card theft daily, Gillin said.