On Monday, Edmund Optics issued a statement on its web site about a security breach:
On Sunday, February 26, 2012 Edmund Optics identified suspicious activity on our website and quickly determined there had been a breach of our security. Actions were taken immediately to stop the intrusion, increase security and prevent further unauthorized access to breach of our website and systems. We deeply regret any inconvenience to our customers from this incident and we will continue to make every effort to rectify this situation. Our customers are our top priority. We extend our sincere apologies and will continue to provide updates to our customers as they become available.
During our ongoing investigation, we identified certain customer accounts that we believe have been compromised. We are taking precautionary measures and sending a notification package to any customers who may potentially be impacted. The package will include a letter regarding the ongoing investigation, steps on fraud prevention and information regarding free credit monitoring services for one year paid for by Edmund Optics where available. Every customer who may be impacted will be notified directly. If you are not notified shortly, you should assume your account has not been compromised.
Edmund Optics has hired Trustwave Corporation to complete an extensive investigation of the incident. In addition, we have engaged Kroll Corporation to provide our customers with any support services they need regarding fraud prevention and credit monitoring in the event that they have been impacted by this incident.
The trust and security of our customers is of paramount concern. We continue to take the necessary steps to prevent future unauthorized access to our website and company data.
Sincerely,
Robert Edmund
CEO
Edmund Optics
Their notification to the New Hampshire Attorney General’s Office provides some additional details on the incident. They note that hackers had exploited a vulnerability in Cold Fusion 8. Between February 8 and February 26, when the breach was detected, the intruders had been able to access customers’ personal information, including credit card information. The notification did not indicate whether it was credit card numbers or numbers plus expiration dates and/or cvv. At the bank’s request, the company is undergoing a PCI compliance audit. There was no indication as to how much data was stored on the server and whether only recent customers were affected or if they had retained data on older transactions.
Although not many New Hampshire residents were being notified, the firm notes that they are also notifying regulators in other states and relevant foreign entities.
The Secret Service is investigating the incident.