A massive data breach has been disclosed by Network Solutions, a leading provider of Web services. According to its press release, the company discovered unauthorized code on servers supporting some of its E-Commerce merchants’ websites.
After subsequent analysis, Network Solutions:
"determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information."
"The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring. Exposure varied by merchant, but in all cases took place sometime between March 12, 2009 and June 8, 2009. Transactions after June 8, 2009 were not exposed to the unauthorized code."
So far, there have been no reports of credit card fraud resulting from the breach. Network Solutions also says that:
"We have arranged for a leading credit reporting agency to work with us, on behalf of our merchants, to contact our merchants’ customers whose data may have been affected and provide services that will help potentially affected U.S.-based customers protect their information. These services are being provided free of charge to our merchants and their U.S.-based customers."
The company doesn't know how the unauthorized code got into its servers or where it came from.
In other IT security news, Microsoft is going to be releasing an "out-of-cycle" security patch most likely tomorrow. The rumor is that a flaw has been discovered that provides a way to by-pass Internet Explorer security controls. According to a ComputerWorld news report which has more detail about the issue, there is a "cone-of-silence" being invoked on those knowledgeable about it.
A patch is expected to be available sometime tomorrow.
ComputerWorld also has a story on a zero-day flaw in Adobe'sFlash Player that supposedly affects 9 out of every 10 Windows users. The flaw won't be patched until Thursday.
Adobe has known about the problem since the end of 2008, but was only spurred into action when it was hit with a wave of negative publicity about not fixing it.
Finally, eWeek has a story about a security researcher posting two videos to YouTube (one is here) on how one can access private data on the Apple iPhone 3GS. Apple has been touting its enhanced security features on the iPhone 3GS as a reason enterprises should consider buying them, eWeek says.
Some companies have been reluctant to buy iPhones because of security concerns.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.