Egghead scrambles to gauge damage

Summary:An intruder may have poached the online electronics and computer retailer's database of 3.7 million customers, including credit card information. The FBI and security experts are on the case.

Egghead.com scrambled on Friday to gauge how much of its 3.7-million-customer database had been stolen by intruders during an online theft, which experts believed happened the day before.

"We're in continuous crisis mode here," said a consultant from physical and electronic security firm Kroll Worldwide--the experts called in when Egghead discovered the intrusion on Thursday. The consultant asked not to be named.

On Friday, Egghead.com Inc. (eggs) acknowledged that the company's servers had been hacked by network intruders and its customers' credit-card numbers potentially stolen.

"Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases," said the online electronics and computer retailer in a statement early Friday.

"As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."

Sources inside the credit-card industry told ZDNet News late Thursday that Egghead had turned over the names of 3.7 million credit-cards holders, any number of whom whose data could have been compromised.

"It's unclear, how much, if any of that has been compromised, and we have provided this information to the credit-card companies as a precautionary measure," said Shoreen Maghame, spokeswoman for Egghead.

In its October earnings release, Egghead stated that 3.6 million customers had registered to bid on or buy products using its service. Thursday's precautionary measure suggests that the company considered its entire customer database to be at risk from the break-in.

Egghead co-chairman Jerry Kaplan said Friday there was "no evidence" to suggest that any of the credit cards had been taken. At the same time, he could not say for certain that the database had not been pilfered.

"Somebody broke into the Web site, that doesn't mean the customer data was compromised," Kaplan said.

A team of auditors called in by Egghead expect to know within the week whether any credit card data was compromised, Kaplan said. He knew of no complaints about bogus charges surfacing from Egghead customers.

On Thursday, Egghead.com executives denied any break-in, and company officials did not respond to requests for comment until later that night.

Friday morning, the company acknowledged the intrusion in an early-morning press release.

By late Friday morning, law enforcement sources confirmed that Egghead.com had contacted them and that they were investigating the case.

Analysts and industry watchers say the Egghead.com break-in highlights the general lack of security that companies have for their servers.

"Server protection is really out of control," said Avivah Liton of researchers Gartner Group. Given the numbers, the heist is, far and away, the largest credit-card database infiltrated by cyberthieves to date.

A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse Creditcards.com lost another 55,000.

Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.

"If you don't know how many credit-card numbers you lost, you are giving a quick, blanket, worst-case answer--and then finding out what happened afterwards," he said.

Robertson said that Egghead.com is using Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.

IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw--used often by "script kids" to deface Web servers--and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.

However, Robertson said such holes should have been patched.

"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."

ZDNet News' Patrick Houston contributed to this report.

Egghead.com scrambled on Friday to gauge how much of its 3.7-million-customer database had been stolen by intruders during an online theft, which experts believed happened the day before.

"We're in continuous crisis mode here," said a consultant from physical and electronic security firm Kroll Worldwide--the experts called in when Egghead discovered the intrusion on Thursday. The consultant asked not to be named.

On Friday, Egghead.com Inc. (eggs) acknowledged that the company's servers had been hacked by network intruders and its customers' credit-card numbers potentially stolen.

"Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases," said the online electronics and computer retailer in a statement early Friday.

"As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."

Sources inside the credit-card industry told ZDNet News late Thursday that Egghead had turned over the names of 3.7 million credit-cards holders, any number of whom whose data could have been compromised.

"It's unclear, how much, if any of that has been compromised, and we have provided this information to the credit-card companies as a precautionary measure," said Shoreen Maghame, spokeswoman for Egghead.

In its October earnings release, Egghead stated that 3.6 million customers had registered to bid on or buy products using its service. Thursday's precautionary measure suggests that the company considered its entire customer database to be at risk from the break-in.

Egghead co-chairman Jerry Kaplan said Friday there was "no evidence" to suggest that any of the credit cards had been taken. At the same time, he could not say for certain that the database had not been pilfered.

"Somebody broke into the Web site, that doesn't mean the customer data was compromised," Kaplan said.

A team of auditors called in by Egghead expect to know within the week whether any credit card data was compromised, Kaplan said. He knew of no complaints about bogus charges surfacing from Egghead customers.

On Thursday, Egghead.com executives denied any break-in, and company officials did not respond to requests for comment until later that night.

Friday morning, the company acknowledged the intrusion in an early-morning press release.

By late Friday morning, law enforcement sources confirmed that Egghead.com had contacted them and that they were investigating the case.

Analysts and industry watchers say the Egghead.com break-in highlights the general lack of security that companies have for their servers.

"Server protection is really out of control," said Avivah Liton of researchers Gartner Group. Given the numbers, the heist is, far and away, the largest credit-card database infiltrated by cyberthieves to date.

A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse Creditcards.com lost another 55,000.

Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.

"If you don't know how many credit-card numbers you lost, you are giving a quick, blanket, worst-case answer--and then finding out what happened afterwards," he said.

Robertson said that Egghead.com is using Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.

IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw--used often by "script kids" to deface Web servers--and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.

However, Robertson said such holes should have been patched.

"It really doesn't matter what Web server you are running ... if you are not keeping up with patches, you're insecure."

ZDNet News' Patrick Houston contributed to this report.

Topics: Servers, Hardware, Microsoft, Networking, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.