[BreachExchange] Customers Question Breach Alert Etiquette at Blowout Cards

[Audrey McNeil]

http://www.bankinfosecurity.com/blogs/customers-question-
breach-alert-etiquette-at-blowout-cards-p-2458

Free advice for breached businesses: Once you admit that you've suffered a
data breach or that you're investigating whether you were breached,
disseminate that message far and wide, including via all social media. That
way, no one can accuse you of trying to cover it up.

Consider that many police departments now issue statements or updates on
investigations not only via their websites, but also Facebook and Twitter.
Simply put, those are great ways to get the message out.

And at a minimum, that's what all other organizations should be doing as
well, especially when it comes to warning customers or users that they may
have been the victim of a data breach or other security-related incident.

Likewise, here's what not to do: Issue a breach notification only via your
own forums, while failing to get the word out via social media or email to
anyone who may not have logged onto your site in the past day, week, month
or year.

That is what seems to be happening with Blowout Cards, a site devoted to
the buying, selling and trading of sports cards and trading cards that's
owned by Frontline Collectibles Inc. in Sterling, Virginia.

Breach Alert Timeline

Reports of a potential breach at the site - dating from at least January -
first surfaced on April 19 via the Blowout Cards forum post with the
subject line of "credit card problems." As of April 24, however, the
company had yet to issue any alerts via social media or to directly notify
potential victims.

"Not sure where to put this, but I ordered something from Blowout in
January. Used a credit card that I rarely use - only other place I use is
NYTimes subscription," wrote "ForceChange77" in an April 19 post. "Somebody
got the card number and started charging all kinds of fraudulent charges.
Has there been a problem recently?"

On April 20, a site administrator responded that the organization had been
alerted to a security breach - it didn't say by who - and that it was
investigating.

On April 21, an "Important Message - Attention Customers" alert was posted
to the front page of Blowout Cards site, leading to a security notice
posted in the thread started by ForceChange77.

Security Alert

"Recently we were alerted to a potential security breach on our website.
After researching this issue, our internet security team detected and
patched an exploit that allowed unauthorized access to customers' card
information when checking out on Blowoutcards.com," that security alert
reads.

"We are currently in contact with several leading third-party security
firms to determine the cause of the breach and assure you that we are
working with leading experts to harden our security to prevent any future
incidents. Although the immediate issue has been resolved, our
investigation into this matter is ongoing and we will communicate
additional information to you as it becomes available to us," it adds.

Multiple other customers also reported via the forum post that they too
seemed to have experienced card fraud tied to the site.

One customer emailed me directly, noting that his debit card was also hit
with suspicious charges. He believes the fraud traces back to the Blowout
Cards site.

"My debit card was hit with charges," he says. "I quickly cancelled the
card and waiting on reimbursement from my bank, which I am sure won't be a
problem."

Under U.S. consumer protection law, credit card users are protected if
their card gets used fraudulently, provided they notify the card issuer in
a timely manner. Debit card users, however, have no such protections, which
is why many identity theft experts recommend never using debit cards for
online purchases. That said, many banks will refund charges tied to debit
card fraud.

Fraud-loss coverage aside, the customer also questions why Blowout Cards
had only posted a warning to its forums - even though fraud appears to be
ongoing - rather than getting the message out via social media channels.

"Blowoutcards/Frontline collectibles seems like they are trying to hide the
information," he says, noting that he rarely looks at the forum articles,
because they typically involved just advertisements for sales. "They have
the ability to post a message on Twitter/Facebook account which would
notify 10-20X as many customers that have been affected. I am sure less
than 25 percent of customers affected don't use the company's web forum
which is the only place they have the small notice/warning."

Blowout Cards Promises Direct Notifications

I asked Blowout Cards when its breach apparently began, how many users were
affected, whether it plans to offer identity theft monitoring services to
victims and why it hadn't issued any alerts via social media or other
channels.

Thomas Fish, president of Blowout Cards, responded by saying that more
details will be forthcoming by April 25.

"At this time, any statement(s) have been posted on the forum where we
first became aware of a potential issue. We will be making a more detailed
announcement within the next 24 hours," he told me on April 24. "We will be
contacting all potentially affected users via email at that time as well."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170425/9c275e28/attachment.html>