Yesterday, I posted an entry about a recent breach reported by Amway Global that seemed essentially identical to a breach that they reported last year. I questioned whether Quixtar/Amway had correctly identified the source of the earlier breach and perhaps failed to address it. I had called Amway to discuss the breaches, but had not received any return call. Yesterday afternoon, Amway did return the call, and I put the question to them. Here is their response, in its entirety, which I received this morning, and I am pleased to give them the opportunity to explain and defend their security:
Amway Global is committed to maintaining the highest level of security and privacy of information submitted to its website.
The company has confirmed that individuals who are not account holders have
accessed some accounts on AmwayGlobal.com using legitimate username and password information. This issue is not a breach of the IT security infrastructure of our site. Rather, somebody has obtained legitimate usernames and password information from another source – not from our website. In other words, our house has not been broken into, but someone has gotten their hand on the keys to a few rooms and used them to enter without permission. We do not know right now how this happened. One possibility is that users of our website are using the same username and passwords as they are using on other – possibly less secure – websites.While this issue is sounds very similar to one Amway Global experienced last year, we have not confirmed that it is. Last year, we did confirm the likely source of username and password information that was fraudulently tapped into in 2008 and were able to remedy the situation for our users and notify the other website of the security issue and how to address it on their own site. Last year’s issue also was not a breach of the IT security infrastructure of our site.
Amway Global has launched its own ongoing internal investigation into this issue and is working to determine the source of the problem. We also have alerted law enforcement authorities about this incident and will cooperate with any investigation they launch. In addition, Amway Global has contacted those whom we know have been affected to recommend remedies.
While we are working diligently to determine the source of this fraudulent activity, there are unfortunately limited measures that can be taken to block access to someone who has obtained legitimate username and password information through ill-gotten means. The best course of action is to follow best practices, which is why we encourage all Amway Global Independent Business Owners and their customers to create strong passwords unique to their Amway Global accounts and change that password frequently. Also, it is strongly advised that IBOs and customers run current anti-virus, anti-spyware on their home computers and keep their operating systems up to date. A good source of information to protect your privacy online can be found at http://www.ftc.gov/bcp/menus/consumer/tech/privacy.shtm.