When Rogelio Hackett, Jr. pleaded guilty earlier today, media coverage noted that investigators had found over 675,000 credit card numbers (“access devices”) on his computers or in his email accounts at the time his home was searched in June 2009.
Reportedly, 359,661 of the 676,443 card numbers came from “Company One’s” customers.
According to a court filing, Hackett would explore databases looking for SQL vulnerabilities and use them to access databases. First in August 2007, and then on an unspecified later date, Hackett reportedly accessed Company One’s database. Company One was described only as an online ticketing services provider that enables customers to order and pay for tickets for events at libraries, museums, theatres, performing arts centers, raceways, sporting teams, and festivals.
Did Company One even know that they had been hacked? Were their customers ever notified?
Looking at other court filings by the government seeking court approval to use alternative notification procedures, it would appear that these customers may never have been notified of the breach involving the ticket provider. Was the ticket provider, “Company One,” even notified by the government after the government uncovered the breach?
Good questions since I don’t remember a ticket company reporting a breach of that size. Anyone else remember one? Why are they protecting the company and not consumers?
Consumers will be protected by the substitute notice worked out in court – Visa, MC, AmEx, and Discover are all being notified so that they can take the next steps to protect the consumers.