Hack Results in Action by Credit Card Firms

In the wake of the CDuniverse break-in, which resulted in the theft of as
many as 300,000 credit card numbers and other customer information by a
Russian cracker using the nickname Maxus, two credit card companies have re-issued cards to all cardholders who
have shopped at CDuniverse.

Kathy Edwards, a spokesperson for Discover Financial Services, confirmed
that about 10,000 accounts were affected. The affected cards have been
canceled and credit card holders have been issued replacements. An American
Express
spokesperson, Molly Faust, declined to reveal the number of card holders
involved in its recall. Visa and Mastercard issue cards through banks and
other partners and have not initiated similar recalls, although partners
could take that action.

To prevent misuse of the existing
cards during the period when the new cards are enroute to holders, the
company said it has implemented unspecified fraud detection features.
Discover cardholders, however, will be without use of their accounts until
they receive their new plastic, according to the company. Both card issuers
are offering expedited delivery of the new cards using express mail
services.

Last Friday, CDuniverse sent e-mails to its customers notifying them about
the security breech and suggesting they monitor their cards for any
suspicious activity, but the company did not recommend that customers cancel
their credit cards.

The stolen credit cards were posted to a Web site on Dec. 25th, and
according to a counter at the site more than 25,000 were downloaded by
visitors before it was taken offline January 9th. Maxus claimed in an email
to InternetNews to have notified CDuniverse about the stolen data over a
month ago, and said he posted the cards only after the company failed to pay
him $100,000 in ransom.

CDuniverse officials have declined to provide specifics about when they
first learned about the stolen data.

Anita Boomstein, an e-commerce attorney with Hughes Hubbard & Reed in New
York, said that if CDuniverse was slow to notify customers about the
break-in, it will bear the cost of any fraudulent card use.

“The issuers can’t charge the consumers for any unauthorized charges — they
will charge them back and debit CDuniverse’s merchant account. So to the
extent that they didn’t act reasonably in the way they handled it,
CDuniverse will ultimately bear the penalty for it,” said
Boomstein.