SwimOutlet.com Data Breach Stats

Yesterday, Tues Jan 17, I received a 🐌 snail mail “Re: Notice of Data Breach” letter from SwimOutlet dated Jan 12, 2017. I’m having a hard time confirming the validity of this letter on the Internet. Using phrases in the letter, I’ve found a single match PDF on justice.oregon.gov. Based on the PDF on justice.oregon.gov YogaOutlet.com shares the same infrastructure and was also affected. Assuming it is real, incredibly SwimOutlet.com and YogaOutlet.com have no information about this on this website and I have no emails from SwimOutlet.com on this issue.

Here are some statistics I’ve calculated based on when I received the letter:

  • 204 days of credit card data may have been stolen
  • 79 days since credit card processor reported unusual activity to SwimOutlet.com
  • 79 days since “immediately began” “work[ing] with third-party forensic expert”
  • 28 days to confirm may have compromised credit card data
  • 22 days or more that the criminals were on the systems
  • 45 days SwimOutlet.com waited to notify customers after confirmation
  • 5 days more wasted in the time an email would have been received and snail mail was received.
  • 100% chance that debit and credit card data was stored insecurely: cardholder’s name, address, phone number, email address, card number, expiration date, and CVV
  • 2 pages of generic “remain vigilant” useless credit reporting bureaus reminding you how insufficient industry’s and government’s safeguards are.
  • 1 unlisted phone number that if lucky is actually a Subway in Wilkesboro, NC

  • Zero information published online by SwimOutlet.com / YogaOutlet.com
  • F grade for response and communicate by SwimOutlet.com
  • 0% chance I’ll trust these people with my payment information ever again

Here is the sample letter from justice.oregon.gov that seems to read verbatim to the letter I’ve received:

January 12, 2017

Re: Notice of Data Breach

Dear Sample A Sample:

For nearly 15 years at SwimOutlet.com, our customer service and online shopping experience have been our company’s top priorities, so we were dismayed to learn in late November that we had been the victims of a sophisticated cyber-attack that may have affected the security of our customers’ payment information.

We are contacting you personally to provide you with clear information about the incident, steps we are taking in response and action you can take to protect against fraud should you feel it is appropriate.

We apologize for the inconvenience this may have caused and can assure you that we worked hard with top security experts to make our site as safe as possible from these cyber-criminals going forward.

What Happened? On October 31, 2016, we began investigating some unusual activity reported by our credit card processor. We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems. On November 28, 2016, we received confirmation of a sophisticated cyberattack in which a hack into our system may have compromised some customers’ debit and credit card data used at http://www.swimoutlet.com between May 2, 2016-November 22, 2016. The information at risk as a result of this event includes the cardholder’s name, address, phone number, email address, card number, expiration date, and CVV.

Our Response: What We Are Doing. We take the security of our customers’ information extremely seriously and we have been working with independent forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. We are also working with the Federal Bureau of Investigations to investigate this incident. The software from the criminals that attacked our system has been removed and you can safely use your payment card at http://www.swimoutlet.com.

What You Can Do. Please review the enclosed Privacy Safeguards Information for
additional information on how to better protect against identity theft and fraud. We
encourage you to remain vigilant against incidents of identity theft by reviewing your account statements regularly and monitoring your credit reports for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order one, visit http://www.annualcreditreport.com or call 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of their credit report.

For More Information. Should you have any questions about the content of this letter or ways you can better protect yourself from the possibility of identity theft, we encourage you to call the dedicated assistance line, staffed by professionals who are experienced in working through situations like this, at (877) 237-5190, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 1219010417 when calling.

The security of your information is incredibly important to us and we let down our
customers, which is why we wanted to contact you as promptly and with as much detail as we could. We are truly sorry about this. The incident will only make us work harder to be the best aquatics shop on the web and serve our customers as best as we possibly can.

Sincerely,

Avi Benaroya
Chief Executive Officer, SwimOutlet.com

Minimalist Software is a Lot of Work

It is the right work. It is the most rewarding work. It is the most accessible and usable work.

I use the Vim plain text editor just often enough to ensure that I’m constantly forgetting how to use it, but when I am using it, I like to manage its plugins with vim-plugin.

Its creator works diligently to have it live up to being the “minimalist Vim plugin manager” and it shows in its easy of use and performance.

“vim-plug labels itself as “minimalist plugin manager” and I’m not in favor of adding more features to it. Unlike “modern” editors, Vim is basically a single-threaded, synchronous program, and to start a background process, you’ll have to use a bleeding-edge version of Vim or Neovim, while one of the strong points of vim-plug is its obsession with backward compatibility (almost all of its features work in archaic Vim 7.0 with Git 1.7)” ~junegunn

Junegunn inspires me! His incredibly generous is evident in the beautiful software he creates. Looking around his git repositories and issues trackers reveals a very thoughtful, generous and talented person.

Thank you Junegunn!

Account Reset Terror

Email subjects on emails from the end of last week:

I expect more emails like this over the next week. Only the last one — the blog post from my former employer Automattic — reflects a company taking appropriate steps:

We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.

It is frightening that “over 100,000 accounts for which the password given in the list matched the WordPress.com password”. That is over 14% of the gmail address that matched. Still I’m not sure that justifies the other service provider wholesale resetting all the gmail addresses that match.

I have accounts on a large number of services. It feels like I’m now regularly getting more required password reset emails and “If you didn’t make this request, it’s likely that another user has entered your email address by mistake and your account is still secure.”

Are IMDB and Etsy’s approaches good? Does it help customers?

Are real solutions to today’s authentication challenges on the horizon?

Joyeur

My start date at Joyent was Monday, August 19, 2013. At the end of this week, I’ll have been at Joyent for nine months.

Writing this post after nine months is a coincidence. The impedance for this post is actually my colleague DeirdrĂ© Straughan’s Joyent Retrospective.

The video is a “retrospective of the videos [DeirdrĂ© has] done in the last few years”. The video is wonderfully playful. Joyent CTO Bryan Cantrill appears to fidget along to the music.

The experiences highlighted in the video are the real gift. Deirdré links to all the the videos (with the exception of the internal meet-and-greet ones). Deirdré has done an incredible job leading Joyent sharing so much of its technical expertise.

Watching Joyent Retrospective brings to mind the journey I’ve been part of here. I thought I knew what I was getting myself into, but I really had no appreciation of the depth and pragmatic uniqueness of this team and technology. No company compares to Joyent in density of expertise in Infrastructure as a Service and as a product. This team has deep, deep, strong roots and continues to execute on its vision.

A better ride in the big city

Julia is sick, so I had to return her heavy photography lighting today. I was naive to the amount and weight of equipment that professional portraiture involves.

I was happy to take an Uber for free when I used PayPal as payment for the first time (expires Nov 28, 2013): http://blog.uber.com/paywithpaypal

If you don’t have an account, you can get another $10 credit using my referral code: http://www.uber.com/invite/uberlloydde

I’m relieved I didn’t have phone a taxi company only for one not to show, or to try to hail down a taxi. I’m too old for white-knuckled rides through the city.

I don’t use Uber much as I like to walk and use public transit. When I do need it, I’m very thankful for the service.

I’m terrible with names of people, addresses, and locations. Uber makes me feel more comfortable navigating San Francisco. I can enjoy San Francisco more. Uber is easy and it works.

Also, as a technology professional Uber inspires me.

20131126ubercom--features-phones-web-sprite@1x-8

One Year and Ten Months Without Pants

I finished reading The Year Without Pants: WordPress.com and the Future of Work by Scott Berkun Thursday night. It’s already one of my favorite books ever, but I’m obviously incredibly biased here!

It’s weird to read a book covering a big chunk of your own life. I was employee 10 at Automattic and worked there for five of the best years of my life. I was there for most of the time that Berkun was, though it felt like we were at opposites ends of the company. I left Automattic about six months before Berkun left. I wish I had this book to read while I was at Automattic. It would have shaped my thinking!

Of course, this is going to be my favorite Berkun book, but there is a huge awkwardness of it all — are there other business leadership books of this style? has anyone pulled off keeping themselves in it? Berkun comes off as machiavellian, when I don’t think he really is.

There is a real reason why all autobiographies are incomplete, and great biographies either burn relationships or are written about the finished and the dead.

I’m eager to hear and read Automatticians, “formermatticians”, and other insiders thoughts on the book, particularly expanding on or challenging the history and stories of Automattic that Berkun shares. Don’t get me wrong, the insights that can be applied regardless of how Scott’s experiences and perspective align. The book is fully of incredible project management and business leadership insights that will stand on their own through the tests of time.

It’s only been a week since the release, but I haven’t seen any reviews that really expand on the history of Automattic.

I do really enjoy how mdawaffe, aka Mike Adams, ends his post “Seven Years Without Pants” with:

I’m pretty sure the party was only the eighth time Scott and I had ever met in meatspace (a.k.a. “real life”). A good friend, my former boss, and a formative teacher of mine, Scott and I have only ever seen each other eight times. If you don’t understand how that’s possible, read the book.

I’ll update this article with online discussions from insiders as I find them.

Interesting

  • Evan Solomon in “A Two Year Old Conversation Shows Up In a Book”

    I think [letting someone be employee and reporter at the same time is a] mistake. It puts employees in a difficult and ultimately lose-lose situation to be unsure whether conversations are private or public. It doesn’t bother me much that Scott was frustrated by my communication style, but I don’t think it’s his place to share that frustration with the world any more than it would be my place to talk about my current colleague’s personal habits at work without their permission. I would consider doing that a clear violation of trust.

Storied

  • none so far

Soft

  1. Raanan Bar-Cohen

    “A bit surreal to read about your own work, and I’ve found over the years that all my colleagues have a great work ethic.

    What I like is that Scott hits on a point that I find very true — which is that companies that have big audacious goals such as ours, and give employees freedom to define the methods of achieving them – tend to attract people who are passionate and love what they do. And that combo tends to result in amazing outcomes and companies that have a culture that attracts fantastic talent.”

  2. Beau Lebens
  3. Andy Peatling
  4. WordPress.com Interview by Krista Stevens

    Berkun: I was most surprised to rediscover that it’s the fundamentals. If you can build trust, provide clarity, and hire well, every other obstacle can be conquered. My story in The Year Without Pants follows how I tried to achieve those things despite a decade age gap, 100% remote workers, radically different culture, and more, any of which would be terrifying to most managers on their own, including myself.

  5. Alex King

    I found Scott’s story to be interesting and self-aware; an introspective and honest account of how his team operated. I am fortunate to be friends (or at least friendly) with many of the people mentioned in the book. Scott’s characterizations of them, their personalities and humor struck me due to their accuracy with my own experiences. This made it easy for me to fully embrace what I was reading.

  6. Paul Maiorana
  7. Hugo Baeta
  8. Lance Willett

Matt mentioned “This news comes in a fun week generally: Scott Berkun’s book about Automattic is out today and getting rave reviews” in More Tiger Secondary.

Hoping

What topics around Automattic and the WordPress.com business are you most interested in learning more about?

A Year at WordPress.com, The Book

The Year Without Pants

Today, The Year Without Pants: WordPress.com and the Future of Work by Scott Berkun was released.

I’m ecstatic that there is a book sharing experiences and insights based on the most incredible workplace I’ve ever worked “at”, Automattic, working for the most inspiring and inspired boss Matt Mullenweg. This is your chance to get inside the magic of Automattic, a fully distributed team — everyone works from home! — and learn from one of the best leadership and (software) product development authors, Scott Berkun!

Berkun became one of my favorite authors after Matt Mullenweg recommended Berkun’s The Myths of Innovation to everyone at Automattic. It is among my favorite books. Berkun is the most readable author I’ve found and he doesn’t waste a word — like no one else, I felt my time was valued.

Family commitments meant I never got to attend any of Berkun’s workshops, or am fully appreciated now, really meeting him. It also felt let we worked at opposite ends of the company.

I’m six chapters in to Without Pants and thoroughly enjoying it! I’d already recommend you pick it up too!