Columbia House breach exposes customer info

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-4891643.html?tag=lh

By Stefanie Olsen
Staff Writer, CNET News.com
February 21, 2001, 2:20 p.m. PT

Music company Columbia House left a hole in more than its CDs during
the past week, when a security breach on its Web site exposed
thousands of customer names, addresses and portions of credit card
numbers.

A company representative confirmed the breach Wednesday, calling it
"temporary" and an unlucky outcome of routine development work on the
Web site.

Mark Alway, a software developer from Seattle, discovered the breach
Friday evening while shopping for CDs with a friend. He found that by
eliminating part of the Columbia House Web address, which contains
more than 100 characters at any given time, he could reach a directory
of administrative tools normally unreachable to the average Web
surfer.

This directory mapped out a treasure trove of links to personal
customer data and sensitive Web files including company coupon codes,
log files, and names and passwords to Columbia House's main Informix
database, Alway said in an interview.

"It's almost negligent to have this type of error--it's something
you're trained to solve in very basic Web training courses, not to
leave directory indexing on. A large business shouldn't have such a
simple mistake on their site," said Alway, who immediately sent an
e-mail to technical contacts at the site Friday. He said he received a
response Wednesday that the site had been fixed.

Columbia House spokeswoman Andrea Hirsch acknowledged that a small
collection of the company's customer names and addresses were
available through the files, but she said that without a customer's
full credit card number--only the last four digits were
available--that person's account remained safe.

"Unfortunately, the view screen got switched on to the
site...(allowing) access to a number of directory files temporarily.
But we fixed that immediately," Hirsch said. "Although the issue was
an unfortunate one, we're sure that no sensitive commercial customer
info was obtained during this minor breach."

She said the company was still looking into the vulnerability of
sensitive Columbia House files.

Privacy specialists say this is an all-too-common occurrence.

"This is a classic case of poor security that leads to bad privacy,"
said Larry Poneman, newly appointed president of Guardent, a privacy
and security solutions company. Poneman said he had heard of the
vulnerability within his circle of business associates.

The breach at Columbia House is similar to many other technical
glitches at online businesses. In January a security breach at
Travelocity exposed the personal information of thousands of the
online travel company's customers. A month earlier, a hacker broke
into Egghead.com, potentially exposing its 3.7 million customer
accounts.

In addition, security breaches or hacker attacks made vulnerable
customer and client information at CreditCards.com, IKEA and
Amazon.com last year.

Through the Columbia House breach, Always said he had access to
personal data on 3,700 customers, which Kirsch would not confirm or
deny.

"I don't think a lot of users want their personal information out
there, and (Columbia House) certainly is not doing a good job of
protecting it," Alway said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".