Maine Seed Company Website Hacked: Demonstrates SMB Vulnerability & Questions Hacker Safe Seals

This is the time of the year that thoughts turn to gardening as seed catalogs start filling the mailboxes. I enjoy having fresh-grown vegetables from my garden; nothing is better than a deep red, ripe, juicy Big Boy Beefsteak tomato right off the vine. These seed companies are overwhelmingly small to medium-sized businesses (SMBs). Many have gone online in the past few years, bucking the century-long tradition of depending primarily upon postal mail for their sales.


SMBs are increasingly being targeted for hacking, identity theft and cybercrime. The numbers of hacking incidents within SMBs are growing. Today another SMB incident was reported demonstrating this trend.
The Kennebec Journal reported that Johnny’s Selected Seeds website was hacked.

“11,500 credit card accounts were stolen electronically in February.”

It did not take long for the criminals to use the stolen information.

“Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently”

This is how many have been known to have been used fraudulently so far…it is likely more will be used as the credit card data could have easily been sold, perhaps multiple times, to other criminals.

“”Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site,” Harrington said.
The company’s “server farm” in Kentucky was the target, he said.
“They hack in there with the information they have, then they can get into information that’s stored on the Web, which included credit card information,” he said. “Since then, emergency measures have been implemented and the site is being monitored around the clock to ensure this doesn’t happen going forward.”
Letters have been sent to each of the account holders who then contacted their banking institutions and credit card companies to prevent further breaches and additional fraud.
Harrington said the breach was noticed on Feb. 18, when two customers called and said their credit cards had been compromised with fraudulent charges.
“They had shopped here as well as other locations,” Harrington said. “As a security precaution, we immediately notified our Web vendor that handles our Web site, as well as our (information technology) department internally, and started hunting for any breaches in security.”
The investigation by the company’s emergency response team determined that the original illegal entry happened Feb. 4. The system was locked down, passwords were changed, hard drives were removed and multiple new security layers and software were put in place to make sure something like this does not happen again, he said.”

There are many problems with the reported information and scenario presented. Just a few include:
* Credit card numbers stored on a webserver
* Credit card numbers, and other personally identifiable information (PII), stored in clear text
* The website management/hosting had been outsourced to a third party vendor; were any contractual information security requirements in place for that vendor to follow? Did Johnny’s perform a security review of the web host vendor’s information security program?
* The company and website host did not even know a hack had occurred until after a customer notified them. What kind of site monitoring and logging are they doing? Do they have any intrusion detection system in place? Do they review their activity logs?
The Johnny’s Selected Seed website is taking orders now. There is also a ScanAlert Hacker Safe seal on their site that was certified today, March 3.

“Harrington said the company had installed “hacker safe” software before the breach, but the system was compromised anyway.”

Hmm…so they had this seal and certification at the time of the hack? Wonder how thorough the Hacker Safe review is? Appears as though they are promoting the seal more to increase sales instead of to actully improve or validate security.

“”It wasn’t a Web site hack,” he said. “It was a breach of security from outside, into our internal security system’s network here in Winslow, from which they were able to gather enough information from looking at screens and passwords, to then get into the Web site undetected, grab that information and leave.”

Wait…so the website was certified as being hacker safe, but yet there were weaknesses into the website from the backoffice systems? Finding those vulnerabilities should be part of the website security review.
Did they find keystroke loggers? Their statement seems to imply this.
You cannot just test the front door, set the deadbolts and jiggle the locks there and say all is secure when the back doors and windows are left wide open.
Talk about a dangerous false sense of security.

“Harrington said Internet fraud is nothing new. He pointed to recent breaches at T.J. Maxx and Bank of America systems as two examples.”

This is a rather dismissive and flippant remark. I realize quotes can be printed out of context, but just because other types of computer crime have happened does not make it okay for incidents to continue to happen. The Hackers Hit Me Club should not be one you want to get initiated into; organizations need to take appropriate actions and establish proper safeguards so they do not join the hit-by-hackers alumni.

“He said the breach and subsequent investigation, mailings to affected customers and software corrections have cost the company tens of thousands of dollars. “This has really put a financial burden on us in the short term,” he said.”

Indeed…poor and lacking security, and subsequent incidents, will cost companies more than the cost of preventing incidents in the first place.
The adage, “An ounce of prevention is worth more than a pound of cure” is certainly applicable to information security within business.
Tens of thousands of dollars may not sound like much to large organizations, but such a hit could put an SMB out of business.

Tags: , , , , , , , , , , ,

Leave a Reply