Feeds

Amazon, despite denials, was warned about hack

Company 'spin' goes over the top

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Exclusive A humiliating hack which resulted in four months of continuous credit-card data vulnerability for Amazon subsidiary Bibliofind, originally broken by the Wall Street Journal Tuesday, appears to involve fraud on more than one level.

Intruders downloaded the company's customer records, including their credit card details, names and addresses, over a four-month period during which Bibliofind claims, incredibly, that it remained ignorant of any wrongdoing.

"We have no information at this time to suggest that customers' credit cards have been misused," company spinmeister Jim Courtovich is quoted as saying.

The Register has reason to believe that Courtovich's statement, while painfully predictable, is misleading.

At least one merchant known to us experienced "a spate of credit-card fraud starting late last year," at just the time when Bibliofind's security breach began.

Items of between $1200-$2000 in value were bought with valid US credit cards and ordered "to be shipped mostly to eastern-European destinations."

Our sources, who requested that their identity be withheld, explained that their operations manager "got suspicious and phoned the cardholders concerned, who confirmed that they'd not placed any orders."

"We asked them if they shopped on-line anywhere else, as we suspected someone's database had been hacked. The only common link was Bibliofind," the source told us.

No good deed goes unpunished

The merchant dutifully contacted both Bibliofind and Amazon to warn them that they had trouble, and perhaps vainly hoping get a 'thank-you' in reply.

"The Bibliofind sysadmin seemed quite interested and mentioned that there was a possible security weakness within the system used by vendors to log in, although he understandably didn't give details," a second source continues.

So far so good, but "I then spoke with an Amazon sysadmin and the Amazon fraud department manager. I forwarded the details that I had collated and expected them to quietly close the hole."

"I was a bit put out to get an aggravated phone call from Amazon a few weeks later threatening legal action because I had discussed the [situation] with the card holders I had contacted. They insisted that there was no evidence that their site had been broken."

So much for one's good deed of the day. "I muttered a few appropriate words and left it at that," the disgusted merchant says.

"They had been made aware of this months ago, but have done absolutely nothing. We still get fraudulent orders, quite possibly from the same database," he added.

Lies, damned lies, and statistics

So how shall we reconcile Jim Courtovich's bold assertion that the company has "no information at this time to suggest that customers' credit cards have been misused," with what we've just learned? Is this pure ignorance? Or a bald-faced lie? Or Clintonesque hair-splitting akin to discriminating what the meaning of is is?

We'll take option three. We don't think Courtovich is an imbecile; and we rather expect he has better sense than to lie outright to the press, who make it their habit to test relentlessly the self-serving pronouncements of little PR bunnies like himself.

But if we assume that the information supplied to Amazon and Bibliofind by our merchant has since been discarded, then "we have no information at this time" becomes a quite true, if patently misleading, statement of which Slick Willie himself would no doubt be proud. ®

Previous Coverage

Amazon division hacked, thousands of CCs exposed

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.