Hacker gains access to Bisons fans' Web data

[security curmudgeon <jericho () attrition org>]

From: InfoSec News <isn () c4i org>

http://www.buffalonews.com/editorial/20060314/1033934.asp

By STEPHEN T. WATSON
News Staff Reporter
3/14/2006

A computer hacker recently gained access to sensitive financial 
information - including credit card numbers - on the Buffalo Bisons' Web 
site, the team is warning its customers.

The Secret Service, with the assistance of the FBI, is investigating the 
security breach, which occurred last month. So far, the Bisons say they 
have no indication that the intruder has misused any of the ill-gotten 
data.

The team has set up a toll-free number for people to call for more 
information and has notified the four credit card companies that are 
involved.

"We apologize for any inconvenience this situation has caused any of our 
fans," the team said in a statement.

Choice One Online, which hosted the Bisons' Web site at the time of the 
breach, said that it has hired the VeriSign global Internet security firm 
to conduct its own investigation into the security breach.

"VeriSign did confirm that we caught it early enough that damage, if any, 
will be next to nothing," said Keith Radford Jr., director of Choice One 
Online.

Employees of the Bisons and Choice One noticed the breach about Feb. 13, 
according to the team and Radford.

An intruder got into the Choice One system and uploaded a program that 
gave this person access to names, passwords, financial data and other 
information collected from customers who ordered items through Bisons.com, 
the Bisons said in a letter to customers.

The intruder accessed the information on the Bisons' Web site, the Bisons 
said, but so far, there is no evidence that this information was misused 
in any way.

The Bisons are cooperating in the investigation by the federal agencies 
and by VeriSign, according to the team's statement.

The Bisons mailed out the letters to any potentially affected Web 
customers shortly after learning of the breach, said Mike Buczkowski, the 
team's general manager. He would not say how many customers might have 
been affected.

The Bisons and Choice One changed their passwords and shut down the 
computer servers that were infiltrated, and the team notified American 
Express, Discover, MasterCard and Visa about the breach.

The Bisons are warning their Internet customers to monitor statements from 
their financial institutions and notify their credit card or debit card 
companies that their accounts might have been compromised. The toll-free 
number the team set up for customers is (800) 380-1447.

Choice One, a Buffalo Internet services company, said the VeriSign 
investigation will show the full extent of the damage caused by the 
breach, which Radford described as "minimal."

The company is beefing up its security measures in response to the 
incident, he said.

Choice One and the Bisons no longer are working together, a move that 
Buczkowski said is not related to the security breach.

The team last July began talking with Major League Baseball Advanced Media 
about hosting the Bisons' Web site, he said, and the switch went into 
effect last month.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/