Hackers Succeed in Breaching Shopping Cart Software

In a show of bravado, several cyber-hackers busted into merchant sites
operating shopping cart services supplied by PDG Software, stole information
and then sent notes to the store owners boosting of their exploits.

Atlanta-based PDG Software president David Snyder told internetnews.com that an
undisclosed number of merchants sites touting his software had been scaled
by cyber “rogues.”

The company, which first became aware of the problem in the early morning
of April 2, said it immediately patched the software and sent out a mass
e-mail to the 4,000 Web merchants using its shopping cart package.

Merchants who were sent messages from the cyber thieves brought the matter
to PDG Software’s attention.

Although Snyder declined to go into detail, pending an FBI investigation, he
said the messages sent by the hackers read “we ripped you off, we broke into
your site.”

Besides generating an immediate e-mail, Snyder notified other system patrons
directly affected by phone. He declined to name which merchants had been
compromised. However, he noted that there was no “misappropriation of credit
cards to his knowledge” at that time. The FBI later informed PDG that the
hackers had attempted to read credit card numbers.

Following the security breech, on April 6 the FBI issued an advisory through
The National Infrastructure Protection Center (NIPC), which serves as a
national cyber warning center, to confirm “the significance of [the]
vulnerability.”

“Based on ongoing investigations, including information immediately provided
to the FBI by PDG Software and numerous victim companies, the NIPC is aware
that the vulnerability has already resulted in compromise and theft of
important information, including consumer data.

The NIPC emphasizes the recommendation that all computer network systems
administrators check relevant systems and consider applying updated patches
as necessary, especially for systems related to e-commerce,” the warning
said.

PDG Software currently uses a Q/A troubleshooting department and employs
third party audit firms, including U.K- based Cerebus to safeguard its
software.

The five-year old company does business with a mostly-international base of
merchants who license its shopping cart software, including sites operating
Web distribution centers and auctions.

Snyder claimed none of the merchant sites had dropped his service as a
result of the cyber break-in.

“This is the nature of the business,” he said, surmising merchant sites
understand the risk involved in doing business on the Web.