Yesterday, Tues Jan 17, I received a 🐌 snail mail “Re: Notice of Data Breach” letter from SwimOutlet dated Jan 12, 2017. I’m having a hard time confirming the validity of this letter on the Internet. Using phrases in the letter, I’ve found a single match PDF on justice.oregon.gov. Based on the PDF on justice.oregon.gov YogaOutlet.com shares the same infrastructure and was also affected. Assuming it is real, incredibly SwimOutlet.com and YogaOutlet.com have no information about this on this website and I have no emails from SwimOutlet.com on this issue.
Here are some statistics I’ve calculated based on when I received the letter:
- 204 days of credit card data may have been stolen
- 79 days since credit card processor reported unusual activity to SwimOutlet.com
- 79 days since “immediately began” “work[ing] with third-party forensic expert”
- 28 days to confirm may have compromised credit card data
- 22 days or more that the criminals were on the systems
- 45 days SwimOutlet.com waited to notify customers after confirmation
- 5 days more wasted in the time an email would have been received and snail mail was received.
- 100% chance that debit and credit card data was stored insecurely: cardholder’s name, address, phone number, email address, card number, expiration date, and CVV
- 2 pages of generic “remain vigilant” useless credit reporting bureaus reminding you how insufficient industry’s and government’s safeguards are.
- 1 unlisted phone number that if lucky is actually a Subway in Wilkesboro, NC
- Zero information published online by SwimOutlet.com / YogaOutlet.com
- F grade for response and communicate by SwimOutlet.com
- 0% chance I’ll trust these people with my payment information ever again
Here is the sample letter from justice.oregon.gov that seems to read verbatim to the letter I’ve received:
January 12, 2017
Re: Notice of Data Breach
Dear Sample A Sample:
For nearly 15 years at SwimOutlet.com, our customer service and online shopping experience have been our company’s top priorities, so we were dismayed to learn in late November that we had been the victims of a sophisticated cyber-attack that may have affected the security of our customers’ payment information.
We are contacting you personally to provide you with clear information about the incident, steps we are taking in response and action you can take to protect against fraud should you feel it is appropriate.
We apologize for the inconvenience this may have caused and can assure you that we worked hard with top security experts to make our site as safe as possible from these cyber-criminals going forward.
What Happened? On October 31, 2016, we began investigating some unusual activity reported by our credit card processor. We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems. On November 28, 2016, we received confirmation of a sophisticated cyberattack in which a hack into our system may have compromised some customers’ debit and credit card data used at http://www.swimoutlet.com between May 2, 2016-November 22, 2016. The information at risk as a result of this event includes the cardholder’s name, address, phone number, email address, card number, expiration date, and CVV.
Our Response: What We Are Doing. We take the security of our customers’ information extremely seriously and we have been working with independent forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. We are also working with the Federal Bureau of Investigations to investigate this incident. The software from the criminals that attacked our system has been removed and you can safely use your payment card at http://www.swimoutlet.com.
What You Can Do. Please review the enclosed Privacy Safeguards Information for
additional information on how to better protect against identity theft and fraud. We
encourage you to remain vigilant against incidents of identity theft by reviewing your account statements regularly and monitoring your credit reports for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order one, visit http://www.annualcreditreport.com or call 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of their credit report.
For More Information. Should you have any questions about the content of this letter or ways you can better protect yourself from the possibility of identity theft, we encourage you to call the dedicated assistance line, staffed by professionals who are experienced in working through situations like this, at (877) 237-5190, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 1219010417 when calling.
The security of your information is incredibly important to us and we let down our
customers, which is why we wanted to contact you as promptly and with as much detail as we could. We are truly sorry about this. The incident will only make us work harder to be the best aquatics shop on the web and serve our customers as best as we possibly can.
Chief Executive Officer, SwimOutlet.com
Email subjects on emails from the end of last week:
- “Etsy Security Notice”
- “Your IMDb password has been changed”
- WordPress.com News “Gmail Password Leak Update“.
I expect more emails like this over the next week. Only the last one — the blog post from my former employer Automattic — reflects a company taking appropriate steps:
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.
It is frightening that “over 100,000 accounts for which the password given in the list matched the WordPress.com password”. That is over 14% of the gmail address that matched. Still I’m not sure that justifies the other service provider wholesale resetting all the gmail addresses that match.
I have accounts on a large number of services. It feels like I’m now regularly getting more required password reset emails and “If you didn’t make this request, it’s likely that another user has entered your email address by mistake and your account is still secure.”
Are IMDB and Etsy’s approaches good? Does it help customers?
Are real solutions to today’s authentication challenges on the horizon?