RealTime IT News

Recent CDuniverse Breach Wasn't Company's First

The recent security breech at CDuniverse wasn't the first time the company has put customer data at risk.

As recently as late December, CDuniverse was including customer credit card numbers in the emails sent out confirming orders placed in its section at the Yahoo! Shopping site.

According to copies of e-mail confirmations obtained by InternetNews, CDuniverse was transmitting complete card numbers along with customer addresses, in plain text messages -- a practice frowned upon by security experts.

CDuniverse officials didn't respond to repeated requests for comment, but the company has apparently recently discontinued the practice.

Kathy Edwards, a spokesperson for Discover Financial Services, confirmed that about 10,000 accounts were affected. The affected cards have been canceled and credit card holders have been issued replacements. An American Express spokesperson, Molly Faust, declined to reveal the number of card holders involved in its recall. Visa and Mastercard issue cards through banks and other partners and have not initiated similar recalls, although partners could take that action.

To prevent misuse of the existing cards during the period when the new cards are enroute to holders, the company said it has implemented unspecified fraud detection features. Discover cardholders, however, will be without use of their accounts until they receive their new plastic, according to the company. Both card issuers are offering expedited delivery of the new cards using express mail services.

Last Friday, CDuniverse sent emails to its customers notifying them about the security breech and suggesting they monitor their cards for any suspicious activity, but the company did not recommend that customers cancel their credit cards.

The stolen credit cards were posted to a Web site on Dec. 25th, and according to a counter at the site more than 25,000 were downloaded by visitors before it was taken offline January 9th. Maxus claimed in an email to InternetNews to have notified CDuniverse about the stolen data over a month ago, and said he posted the cards only after the company failed to pay him $100,000 in ransom.

CDuniverse officials have declined to provide specifics about when they first learned about the stolen data.

Anita Boomstein, an ecommerce attorney with Hughes Hubbard & Reed in New York, said that if CDuniverse was slow to notify customers about the break-in, it will bear the cost of any fraudulent card use.

"The issuers can't charge the consumers for any unauthorized charges -- they will charge them back and debit CDuniverse's merchant account. So to the extent that they didn't act reasonably in the way they handled it, CDuniverse will ultimately bear the penalty for it," said Boomstein.