Network Solutions, a provider of Web-related services for small and medium businesses, has started reaching out to customers about a data breach that was discovered in early June. Credit card information on 573,928 individual consumers may have been compromised in the breach, which Network Solutions publicly reported at the end of the day on July 24.
Less than half of the company’s 10,000-plus e-commerce services customers were affected in the breach, which occurred when hackers implanted a code on the system used to deliver e-commerce tools to clients. Over a three-month period — from March 12 to June 8 — the code diverted transaction and personal information from 4,343 merchant Web sites to a rogue server.
Susan Wade, director of PR for Network Solutions, said that the unauthorized code was discovered on June 8 during routine procedures, and Network Solutions immediately called in a team of data breach forensics experts to analyze the leak and track it. The experts did not crack the code until July 13. When the team discovered that credit card information was at risk, Network Solutions reported the incident to federal law enforcement, which is currently investigating the situation. So far, none of the at-risk cards has been misused.
Network Solutions informed clients of the breach through e-mail and postal mail last week and has offered to help its clients notify affected individual cardholders. In a preemptive PR effort on Friday, the company also reached out to select bloggers and reporters, started monitoring Twitter and responding to blog posts and launched a new Web site and blog about the breach at CareandProtect.com. The site offers FAQs and invites clients and consumers to weigh in on the breach.
“We were proactive in getting the news out,” Wade said. “We’re having an open dialogue with customers, so anyone can go to the site and see what the dialogue is.
Network Solutions is also offering affected cardholders 12 months of free fraud monitoring service from TransUnion. Wade says the company has put additional security measures in place to protect against future breaches.
“The main message we want to get out is that we’re there for our customers, and we are very sorry about this,” Wade said. “Unfortunately, something like this could happen to any online business, so we’re just letting our customers know that we’re there for them, we will help them as much as we can, and we take this issue very seriously.”
Amichai Shulman, CTO of database security company Imperva, lauded Network Solutions for bringing in a forensics team right away, but noted that the breach illustrated larger database security problems faced by many companies.
“This incident points out the basic problem of cloud computing,” he said. “With many more companies hosting their data on the Internet, the databases and the servers they are hosted on become phenomenally attractive. The lesson: once you’ve penetrated the cloud, you’ve got an easy path to the important, underlying data.”
He added that announcing the breach closer to its time of discovery would have seemed more credible.
“I don’t think they did worse than others in such cases, but I think that the industry standard is behind what customers expect,” he said.