Egghead.com Gets Hacked

Internet retailer Egghead.com — which sells software and related products to small- and medium-sized businesses — Friday revealed a hacker had penetrated its computer systems and may have accessed its customer databases.

Sources inside the credit card industry have reportedly said that as many as 3.7 million card numbers may have been stolen. Egghead.com has not confirmed any credit card number thefts.

“As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit card companies we work with,” Egghead.com said in a statement released Friday morning. “They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected.”

Egghead.com uses Digital River, an ecommerce service provider based in Minnesota, for its software download store. Marty Boos, vice president of Information Systems for Digital River, said his company has determined that its systems were not involved in the Egghead.com breach. And Boos said that for the 9,000 online stores Digital River operates for clients, customer data — including credit cards — are not accessible from the Web.

“You ought to be storing your credit card and customer information in a database that is non-Web accessible,” Boos said. “The normal type of architecture is you’ve got your Web server sitting in a de-militarized zone and they can only talk to the back-end database through some kind of a tunnel. That is the way that most companies that are building stores today are building them.”

Egghead.com did not reveal how it learned of the breach, but it said that it has been strengthening its security for many months in “an effort to combat the increasing, industry-wide problem of malicious hacking.”

The company said it has retained “the world’s leading computer security experts” to investigate its security procedures and conduct an analysis of the intrusion. The company also said it is working with law enforcement authorities who are conducting a criminal investigation.

“We are committed to providing the highest security standards in the industry, a process that has been ongoing and has involved a considerable investment on the part of our company,” Egghead.com said in its statement. “Those principles will continue to guide us going forward.”

Meanwhile, the FBI is reportedly investigating reports by dozens of online
shoppers of fraudulent charges to their credit cards by a mysterious Russian
telecommunications firm.

Numerous Internet users have discovered unathorized charges of about $10 on their credit card statements this month, paid to a company called Global Telecom.

The bogus charges were first reported on the message boards at
FatWallet.com, a shopping information site. Many online shoppers believe
their credit card numbers were stolen somehow during an online transaction at
an as yet unidentified e-tailer or e-tailers. Then the card numbers were
charged small amounts by Global Telecom, so as to avoid detection.

It’s not clear how Global is involved in this scam. The company operates two
web sites, at GTELECOM.NET, and at INETPLAT.COM. Both are regisered to
Global Telecom Solutions Corp. in Panama. Although the contact info sections
at the sites lists a Moscow address. Attempts to reach Global this morning
were not successful.

It’s also difficult to gauge just how many people have been affected by this
scam.

Tim Storm, FatWallet’s operator, says his site gets about 13,000 unique
visitors each day, and while they may do more online shopping than most
Internet users, Storm says the prevalance of users who are reporting Global
Telecom charges is alarming.

As to which ecommerce site has coughed up the credit card numbers that are
being used to rack up these $10 charges, a spokesperson for
Egghead.com today said the company doesn’t believe it was the s

ource. Some
posters to the fatwallet message boards are speculating that drugstore.com
may be the common thread, but Judith McGarry, vice president of Strategic Partnerships for drugstrore.com today
said the online company has investigated the rumors and is confident of its
security.

In recent days, a computer crook broke into creditcards.com, which processes
credit transactions for online companies, and posted some 25,000 credit card
numbers on the Internet after a failed blackmail attempt. It’s not clear
whether those card numbers are the ones involved in the Global Telecom case.

All in all, this rash of online security breeches, coming as it has during
the holiday shopping season, is raising some tough new questions about online
security, and whether eccommerce firms are doing enough to protect
themselves.

Boos of Digital River said it’s not enough just to build good defenses
against attackers — he said defenses need to be tested from time to time with
outside security audits.

Brian McWilliams of InternetNews Radio contributed to this report.

News Around the Web