Online Pet Retailer Leaked 110k+ Credit Card Details Months After Being Notified by Security ResearchersBack to blog
Large data breaches seem to always make the news, but what about the countless small businesses that often have less data security measures? Small businesses are now one of the most targeted areas of cyber crime and the trend is on the rise. Researchers believe small business customer data is even more valuable because they are smaller and have less resources to identify or protect against a data breach or data leak.
In November of 2016 Kromtech Security Researchers discovered a database that was associated with one of the biggest online pet retailer. We immediately notified site owners regarding the misconfigured database, but never received any response. We had hoped that someone would reply and secure the database, but for 6 months they never did. These are over 110,000 customer accounts and payment details. It is obvious that If this data were to fall into the wrong hands and be used for fraud, the folks may face more than just damage to their reputation, they could face fines and possible regulatory actions.
In total Kromtech Security Researchers sent 3 email notifications and a followup phone call to alert them of how much customer data was publically available and to secure it as soon as possible. What good is identifying security vulnerabilities, notifying the affected company if the company refuses to take action to secure their own data or protect their own customers? The only way cyber security and data protection can move forward and change with the ever evolving threats is if companies and individuals take it serious and make the necessary changes to their data protection methods.
Mishandling customer payment data is not just reckless, it can even have legal implications for companies or individuals who mishandle sensitive data. According to Payment Card Industry Data Security Standard (PCI DSS), retailers do face serious potential consequences for non-compliance with standard security protocols in their daily operations. In addition, sensitive authentication data such as CVC, CVV, and CVV2 must not be stored after authorization, even if encrypted. The PCI DSS standard was created to “increase controls around cardholder data to reduce credit card fraud via its exposure.”
It is so important for any company big or small to take every possible step to secure their customer's’ private information, sensitive data, or payment details. As time has shown us, the threats will only continue to grow and based on recent data small businesses are more of a target than ever before. According to SecurityMagazine: “Only 31 percent of small businesses take active measures to guard themselves against security breaches and an estimated 41 percent of small businesses are unaware of the risks”.
What Exactly Was There?
The database contained a lot of company’s attributions, such as emails, addresses, names, and other identifying details of their customers. Going deeper, we discovered that the Rsync protocol was set to stream data without any password protection. It means that anyone with an Internet connection and an Rsync client could have download the data belonging to more than 190,000 customers. This data included checkout information, shipping addresses, emails, names, phones, and credit card details such as 16-digit numbers, expiration date, cardholder names, etc. There was no CVV code listed "as is", but some fields contained it, apparently by mistake.
Pet store claims to be the specialty pet retailer offering services and solutions for the lifetime needs of pets.
Apparently, the problem is in the way and how the website collects and stores personal data of its’ customers. A member of the research team made a test order and we realized that the website doesn’t use any login and password for user data backups. The amount of information that the website asked us to provide during the checkout, would make any customer uneasy, but shocking for those of us in the security and data protection community.
The total number of exposed credit and debit cards listed in the database is 110,429, and what is more disturbing, this list shows that site has been collecting the customer's card data since 2002. Some of the credit cards have already expired but those that were added between 2015 and 2016 are still active and in some cases the CVV numbers of the credit cards are also listed.
How stolen credit card data may be used? In 2014, when more than 600,000 individuals had their personal details stolen from the UK companies. The credit card details were sold for only £1 (about $1.3 USD) per card on the dark web, and to date it is still unknown where exactly that data was taken from. That case remains the biggest leak of credit card details ever. Our recent investigation shows that money may be taken from the victim's credit card even without knowing a CVV code. Cardholder's claim that retailers such as Amazon may charge money from their credit cards without asking for Card Verification Value (CVV). The same happens in the hotels, which can charge or freeze the money on the credit card without knowing the CVV code.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org