The recent security breech at CDuniverse wasn’t the first time the company
has put customer data at risk.
As recently as late December, CDuniverse was
including customer credit card numbers in the emails sent out confirming
orders placed in its section at the Yahoo! Shopping site.
According to copies of e-mail confirmations obtained by InternetNews,
CDuniverse was transmitting complete card numbers along with customer
addresses, in plain text messages — a practice frowned upon by security
CDuniverse officials didn’t respond to repeated requests for comment, but
the company has apparently recently discontinued the practice.
Kathy Edwards, a spokesperson for Discover Financial Services, confirmed
that about 10,000 accounts were affected. The affected cards have been canceled and credit card holders have been issued replacements. An American Express
spokesperson, Molly Faust, declined to reveal the number of card holders
involved in its recall. Visa and Mastercard issue cards through banks and
other partners and have not initiated similar recalls, although partners
could take that action.
To prevent misuse of the existing
cards during the period when the new cards are enroute to holders, the
company said it has implemented unspecified fraud detection features.
Discover cardholders, however, will be without use of their accounts until
they receive their new plastic, according to the company. Both card issuers
are offering expedited delivery of the new cards using express mail
Last Friday, CDuniverse sent emails to its customers notifying them about
the security breech and suggesting they monitor their cards for any
suspicious activity, but the company did not recommend that customers cancel
their credit cards.
The stolen credit cards were posted to a Web site on Dec. 25th, and
according to a counter at the site more than 25,000 were downloaded by
visitors before it was taken offline January 9th. Maxus claimed in an email
to InternetNews to have notified CDuniverse about the stolen data over a
month ago, and said he posted the cards only after the company failed to pay
him $100,000 in ransom.
CDuniverse officials have declined to provide specifics about when they
first learned about the stolen data.
Anita Boomstein, an ecommerce attorney with Hughes Hubbard & Reed in New
York, said that if CDuniverse was slow to notify customers about the
break-in, it will bear the cost of any fraudulent card use.
“The issuers can’t charge the consumers for any unauthorized charges — they
will charge them back and debit CDuniverse’s merchant account. So to the
extent that they didn’t act reasonably in the way they handled it,
CDuniverse will ultimately bear the penalty for it,” said Boomstein.