Imagine this situation: you own a small business with an ecommerce website. One day you wake up to learn from your hosting company that the server your ecommerce site is hosted on, had a problem.
Some unauthorized software code had been placed on the server. As a result, it’s “possible” that credit card information from customers had been snooped on and compromised.
As the owner of a small business, all sorts of thoughts run through your head.
- First, you worry about your customers — and the potential of losing the good customer relations and good business reputation that you’ve spent years building up.
- Some states in the U.S. have specific requirements for notifying customers in such situations. You don’t know all the requirements — nor do you know where to begin to figure out how to comply.
- To top it off, the potential for financial liability is there, in the event your customers’ financial data turns out to actually have been stolen and used elsewhere. Yikes!
This type of situation happened recently to 4,343 merchants — most of them small businesses — that hosted their ecommerce sites with Network Solutions.
Network Solutions discovered on June 8, 2009 that some unauthorized software code had been placed on one of their servers that is used to host merchant ecommerce websites (does not affect the Network Solutions site itself). According to a special informational website set up by Network Solutions, at www.careandprotect.com:
“The code may have captured transaction data from approximately 573,928 cardholders for certain date periods this spring. Exposure varied by merchant, but in all cases it took place sometime between March 12, 2009 and June 8, 2009.”
Network Solutions took action. They removed the code as soon as they found it. They notified law enforcement. And then undertook an investigation.
Network Solutions also contracted with Transunion to provide certain services to their merchants at Network Solutions’ expense, including helping notify the merchants’ customers and providing their U.S.-based customers with the ability to receive one year of free credit monitoring.
To date, no customer’s credit card information has actually misused, according to the CareandProtect website. The website has extensive information, including FAQs for the merchants involved and FAQs for their customers.
Perhaps the best part of the website is that it includes a blog, where merchants can give their feedback (there are also toll free numbers). One post indicates some changes that Network Solutions made to respond to merchant feedback about notification letters intended to go out to customers.
I have been watching the way Network Solutions handled this situation. I do some speaking for Network Solutions, and recently was tapped to volunteer on their Social Media Advisory Panel, and naturally was keenly interested in how they handled a potential crisis like this — and how well they supported the small businesses they serve.
So I emailed some questions to Shashi Bellamkonda, the “Social Media Swami” of Network Solutions to learn more. Here is that interview:
Question: How did the unauthorized code get on the server? Does Network Solutions know or are you still investigating? If you know, what can you share?
Shashi: At this moment the investigation is still ongoing and you understand that details will emerge much later. We have spared no expense and have taken the help of top computer security and incident response experts, General Dynamics Corporation, who we have hired to assist with the investigation along with law enforcement and our own teams.
Question: How was the problem discovered?
Shashi: Assuring the security and reliability of our services to customers is our most important priority. While investigating an issue with our ecommerce servers, our operations team discovered the unauthorized code. The code was immediately removed from the affected servers and we began an investigation.
Question: Which law enforcement did Network Solutions notify? FBI? Secret Service? Others? (Editor’s note: the Secret Service, along with the FBI and other Federal agencies, has responsibility for investigating cybercrimes at the Federal level here in the United States.)
Shashi: We notified the Justice Department and the Secret Service. We have also notified the Virginia State Attorney General’s office.
Question: What kind of penalties can there be for this kind of activity by the bad actor who put the code there? Prison? Fines? Have law enforcement indicated to you what kinds of penalties there can be?
Shashi: We hope the “bad actors” are found and brought to justice, and that any punishment will deter others. Our current focus is on providing helpful information and assistance to our merchants and their customers to get through this difficult time.
Question: The CareandProtect website says the activity took place no later than June 8, 2009. What happened between June 8th and now?
Shashi: Our operations team has been working with an outside data forensics team to help determine what the code did, what kind of information it may have impacted, as well as determine if data was being sent to servers outside of our system. It was a difficult and time consuming task to crack the code and the forensics team was able to decode some of it on July 13th to get an idea of the possible type of data the code was capturing.
Given the complexity of the code and the variance in potential exposure, the forensic team was working over that time to identify the scope of the incident and the universe of potentially affected merchants and cardholders. Also during this time we worked to have notification and credit monitoring services from TransUnion in place, as well as an information website so our impacted merchants and their customers would be able to have the information and services they need.
Question: You say no servers of Network Solutions were affected. Does that mean that if I gave my credit card information to Network Solutions to buy a domain name I need not worry?
Shashi: You should have no worries. Our networks and platforms for different services are protected and isolated from each other. The scope of this incident was restricted to some of our ecommerce merchants and has no implications for the security of our data related to any other services or transactions on NetworkSolutions.com.
Question: The website says that you are not aware of any unauthorized use of credit card information on merchants’ ecommerce systems. Is that still true?
Shashi: Yes, that is still true.
Question: How much do you estimate Network Solutions will pay for the TransUnion credit monitoring service?
Shashi: We have employed TransUnion as a close partner at considerable expense to help our impacted merchants and their customers. We are also making available to our merchants the ability to provide 1 years of TransUnion’s credit monitoring services at our cost. Regardless of the expense, we feel strongly about doing what we can to help our merchants. In summary the steps we are taking are:
a) Providing notification of the incident to our merchants; and
b) Making the TransUnion service available to our merchants to help them notify their customers and provide their U.S.-based customers with the ability to receive one year of free credit monitoring. We understand that a number of states require merchants to notify their customers, and we have decided that we will help with those notifications, if merchants want us to do so.
Question: Are most of the ecommerce merchants small businesses or large businesses? How would you characterize them?
Shashi: We support a diverse set of businesses, generally classified as small businesses with 1-10 employees from a firmographic perspective. But as any small-business owner knows, each business is inherently unique. Our ecommerce customers range from electronics retailers to niche product sellers such as crafts and fashion. They are by nature entrepreneurial, hardworking and expect the best from the services they pay for.
Question: Are you getting more inquiries on the website or on the toll free number you set up for merchants?
Shashi: Along with setting up the website www.careandprotect.com we have used social media tools like Twitter, blogs etc to spread the message faster. Additionally, we have multiple call centers working in concert. A comparison of website activity with phone calls is hard as the audience for these channels can sometimes be different, but having a social media outreach program in place has definitely allowed us to quickly connect with our customers and the community.
Question: What else would you like customers to know about Network Solutions’ commitment to help them deal with any fallout from this issue?
Shashi: Network Solutions has built its brand on service and trust. We have earned JD Powers certifications for our service for four consecutive years. We believe helping our customers is the right thing to do. We invite our customers to share with us any questions or concerns they have on our support site, as many of them already have. In many ways, we feel we are in this with them. Our support team, representing just about every function from legal to customer service to social media, has been conducting an unprecedented outreach effort and has been working around the clock to do what we can.
Managing a situation of this nature in today’s environment is challenging on many levels. There are high expectations for immediate response through new and different media – blogs, Twitter etc. Additionally, we have to contend with information (and unfortunately misinformation) that is instantly rebroadcasted to wide audiences, introducing another challenge of monitoring all these feeds and ensuring that consumers receive accurate information and know where to go for help. So, we expect to learn from this experience in many ways.
* * * * *
In addition to the above information, Shashi also told me that the team at Network Solutions has been working overtime to address this situation. Some members of this special project team worked as long as 43 hours straight to address this situation.