Brian Kerb's Publisher Sourcebooks Security Breached


Sourcebooks, an independent book publisher's security has been breached and hackers were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2).

Sourcebooks is the publisher of security reporter Brian Krebs upcoming book  "Spam Nation". "Fortunately, this breach does not affect readers who have pre-ordered Spam Nation through the retailers I’ve been recommending — Amazon, Barnes & Noble, and Politics & Prose.  I mention this breach mainly to get out in front of it, and because of the irony and timing of this unfortunate incident," Kerbs wrote.

According to Sourcebooks founder Dominique Raccah, the breach affected approximately 5,100 people who ordered from the company’s Web site between mid-April and mid-June of this year. Raccah said the breach occurred after hackers found a security vulnerability in the site’s shopping cart software.

"Shopping cart software is extremely complicated and tricky to get right from a security perspective. In fact, no one in my experience gets it right their first time out. That software must undergo serious battlefield testing," said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security.

From Sourcebooks’ disclosure (PDF):
"Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach."

No comments

Powered by Blogger.