Egghead credit card hack: serious questions remain
Stonewalling as a way of life
It started with a tip from a Register reader whose bank advised him to cancel his Visa credit card after shopping at on-line retailer Egghead.com, then developed into a tour de force of public-relations worst practices, and finally ended in lingering doubts about whether Egghead's vehement claim that no credit card data was compromised during its Christmas hack is trustworthy.
Initially, all we knew was what our reader told us: "Late last week my [bank] called to tell me that Egghead had told the Visa company that a large number of their customers credit card info had been accessed by a hostile cracker. They told me to cancel my card and request a new one. I asked if my card had been used by the crackers, and they said 'no.'"
We first replied to the reader asking the name of his or her bank; and then contacted Egghead. We were intensely curious because if our reader was right, we'd found a real discrepancy between what Egghead told Visa, and what they told the public, about the extent of the December attack.
We also needed to learn whether this item indicated a more recent hacking incident, as we originally suspected, because a full four months had elapsed between the holiday hack and our reader's warning from their bank.
"Oh, this is nothing," Egghead PR bunny Robin Crandall chuckled to us in a flutey voice. "This happened ages ago. It's old news, nothing to report at all."
Crandall suggested that the bank was needlessly alarming customers about an incident which Egghead had determined to be harmless. She also cast doubt on their security competence, noting more than once that it had taken them four months to alert their Visa customers.
"I'm sorry to say it, but you just don't have a story here," she told us in a patronizing tone, as if we were some greenhorn who needed a bit of friendly advice from a real insider.
We assured her that we'd been around long enough to know that we already had a story, as the glaring discrepancy between Egghead's reassuring press release, and the decidedly skittish behavior of a bank which issues Visa cards, is news in itself. We made it clear that we intended get to the bottom of it as well as we could.
That little performance instantly concluded our friendly chat with Crandall, but soon yielded a phone call and e-mail memo from her supervisor, Egghead Corporate Communications VP Joanne Sperans Hartzell.
"We are confident that the breach was contained, our database was not accessed, and customer data remained uncompromised. We have been confident of this since a thorough investigation led by Kroll Associates, working with our internal team, the FBI and the credit card companies, completed in early January, revealed no evidence that any customer information left our system," Hartzell told us.
Which is not the same as saying that they'd determined that no customer information had left their system. 'Revealed no evidence' wasn't quite final enough for us. We pressed on.
Meanwhile, back at the bank
Once we learned the identity of the Visa issuer (bank) which sent out the warning, we contacted their security department. We didn't identify ourselves, and in fact affected to sound like a worried customer. Because the bank's Visa security officer never knew they were talking to the press, we won't quote him or her; but we will say that their understanding of the Egghead hack struck us as not quite in alignment with Hartzell's.
Next we spoke on the record with the bank's card-holder account manager, who asked that s/he, and the bank, not be identified in print. "There's got to be something going on here," they reasoned. "Surely the Egghead database was compromised; otherwise, why would Visa recommend [that we cancel our customers' cards]"?
Visa cowers in fear
Why indeed, we wondered. Surely, if Egghead's version of events was accurate, there'd be no need for a bank to go to such lengths. And surely, no image-conscious bank would inconvenience its customers needlessly.
A day later we obtained a letter written by Visa USA Senior VP and security specialist John Shaughnessy to card issuers warning about the Egghead hack, which unfortunately raised more questions than it answered.
The letter, dated 23 December 2000, warns card issuers that "on December 21, Visa USA was informed that a merchant had discovered a security breach in its computer system that may have put cardholder data at risk."
The next sentence, however, reads: "The cardholder data compromised included account numbers, CVV2*, cardholder names, addresses and possibly card expiration dates."
Sentence one says the breach 'may have' compromised account data. Sentence two assumes that the data was compromised. We very much wished to clear that bit up.
Reading further, we noticed that in paragraph five, Shaughnessy says that "Visa has begun to monitor the account numbers at risk from this compromise through our neural network fraud detection system," once again implying that account information did get out.
He also says that the affected accounts would be "monitored as a portfolio at risk, measuring fraud rates outside the norm," and promises to "notify [issuers] directly if we have additional information."
So, in addition to clearing up the uncertainty in Shaughnessy's wording about whether a compromise of data 'may have' occurred, or did in fact occur, we also needed to know if our bank might have been responding to 'additional information' as he promised to supply.
We thought it would make sense that the bank in question would be canceling credit cards four months after Shaughnessy's initial contact if he had delivered specific warnings in the interim.
So naturally we rang Shaughnessy's office and asked him to clarify his wording in the letter. An hour later a Visa flack rang to tell us that we'd be getting a call regarding our inquiry later that day.
We were quite surprised a few hours later to take a call, not from Shaughnessy, but from Devorah Goldburg, with Visa's media relations contractor, Ketchum, whose home-page mousetrapped us (hence our omission of a link).
There was absolutely nothing, Goldburg told us (with a redeeming hint of embarrassment, we should add), that Shaughnessy was willing say about his own written words. And not only was he unwilling to explain his letter, he lacked the spine to ring us and tell us so himself, but had cowered behind a third party -- not even a Visa employee -- whom he ordered to disappoint us on his behalf.
As so often happens in news-gathering, we were shut down by a frightened wimp. And his pretext was ever so tired; he couldn't bring himself to comment because an FBI investigation was still underway (in contradiction to Hartzell's assertion above that it had been completed months ago).
When we started this story we'd hoped to advise those of our readers who shopped at Egghead prior to the holiday hack as to whether canceling their credit cards would be a prudent move, or an overreaction; but thanks to Shaughnessy's irrational fear of explaining himself, we remain unprepared to do so.
Ironically, Egghead's Hartzell approached us last week proposing to "put an end to the disinformation regarding the attack on our systems in December," but, as events would have it, she only contributed to it in the end. ®
*CVV2 refers to a number on the back of a credit card which can provide a checksum based on the owner's address and postal code. Egghead is one of the few Web merchants which currently advises shoppers to supply the CVV2 value for added security, thus.
Background on CC fraud
Sponsored: Becoming a Pragmatic Security Leader