Almost five months after a security breach was first discovered, lawyers for Cobra Electronics Corporation notified the New Hampshire Attorney General’s Office that its web site at www.cobra.com had been hacked and customer card data might have been accessed.
According to the letter from David E. Teitelbaum of Sidley Austin, Cobra was alerted to a problem on June 14. Subsequent investigation determined that the server had been hacked on June 14. The site was totally offline from June 23 until July 3 while the company addressed the security issues. But according to the notification:
Although the intruder apparently used the Cobra.com site to attempt to download malicious software to customer computers, Cobra did not believe at the time that the intruder had access to any Cobra files containing personally identifiable information, such as cardholder information.
During a routine security review in late September, however, the company realized that there were unencrypted card numbers in archival files on the server at the time of the intrusion. A subsequent forensic examination concluded that there was no access to the data between June 16 and October 2, but the examiners were unable to determine if there had been any access between June 14 and June 16 because the web host could not provide the relevant hard drives. As a result, Cobra decided to notify 9,000 customers whose unencrypted card numbers were on the server at the time of the intrusion or whose unencrypted card numbers were entered after the intruder was shut out but before all data on the server were fully encrypted. The notifications include all customers who made purchases via the web site between November 18, 2007 and September 30, 2009.
Cobra offered affected customers free credit monitoring services and created an FAQ on the breach at http://www.cobra.com/creditcardquestions