Digital Transactions Authoritative, insightful and timely information for payments professionals
The J.M. Smucker Co.’s online store is expected to reopen next week, nearly a month after the jam-and-jelly producer closed it after discovering that hackers had broken into its computer system and stolen payment card data and other personal information on up to 23,000 customers. In other data-security news, beauty products retailer Sally Beauty Holdings Inc. this week confirmed that it had indeed been hacked, but says the number of payment card numbers stolen is less than 25,000.
Orrville, Ohio-based Smucker’s sells most of its products in grocery stores, but some are available online. That is, were available until shortly after the company discovered the data breach in mid-February—a breach it said may have started back in December 2012 and lasted until this January.
Smucker’s is contacting affected customers and providing free credit-report monitoring services, a spokesperson tells Digital Transactions News by email. Meanwhile, the company is nearing completion of new fortifications for its temporarily closed e-commerce site. “We anticipate the online store will be up and running next week,” the spokesperson says.
The KrebsOnSecurity news site says Smucker’s was one of many victims of a criminal hacking gang that used malware and a botnet—a group of computers they illicitly controlled—to exploit vulnerabilities in sites using outdated versions of ColdFusion, a Web-site application program from software developer Adobe Systems Inc. The malware would capture names, card numbers, and other data as they were being entered into forms during the checkout process, before they could be encrypted.
The Smucker’s spokesperson did not specifically address ColdFusion in response to a Digital Transactions News inquiry about how the breach happened. “Although we have a long history of providing our consumers a secure shopping experience through our online store, we were extremely disappointed to learn of an incident that resulted in the illegal and unauthorized access to data files within the online store Web site, hosted by an external service provider,” the spokesperson says. “We believe the unauthorized user utilized a sophisticated scheme to illegally obtain this personal information as it was being entered during the online checkout process. Up to 23,000 consumers may have been impacted.”
Smucker’s earlier this month said the stolen data include customer names, addresses, email addresses, phone numbers, credit or debit card numbers, expiration dates, and verification codes. “We continue to thoroughly investigate this matter with federal authorities and have taken steps to address the cause of this incident,” the spokesperson says.
Data-security researcher Avivah Litan at Stamford, Conn.-based Gartner Inc. says ColdFusion’s “vulnerability has been around for a long time,” She adds that hackers, while sometimes called creative by investigators, often “basically repackage and reuse [malware] all the time” to exploit application weaknesses. “There are only so many tools in these criminals’ toolkits,” she says.
According to KrebsOnSecurity editor Brian Krebs, the same gang was responsible for numerous other computer break-ins, including a big one at Adobe itself, LexisNexis, and a small payment card processor, SecurePay.
Meanwhile, Denton, Texas-based Sally Beauty, which has more than 2,000 U.S. stores, on Monday confirmed that it actually did have a data breach. In response to a March 5 KrebsOnSecurity report that up to 285,000 card numbers may have been stolen from Sally Beauty, the company quickly said it had detected an attempted intrusion into its computer network, but “we have no reason to believe there has been any loss of credit card or consumer data. We will continue to investigate and actively monitor this situation.”
Since then, that investigation—led by Verizon Communications Inc.’s computer-forensics unit—has confirmed the loss of payment card data. “We have now discovered evidence that fewer than 25,000 records containing card-present (Track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed,” Sally Beauty’s March 17 statement says. “As experience has shown in prior data-security incidents at other companies, it is difficult to ascertain with certainty the scope of a data-security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data-security incident.”
The company says the U.S. Secret Service also is investigating. A Sally Beauty spokesperson would not comment beyond Monday’s statement.
