Saratoga Sweets is notifying customers about a hack of their web host’s server. They first learned of the hack on November 25.
In a letter dated December 13, Michael Fitzgerald, Sr. writes that an unauthorized person was able to access the server containing customers’ names, addresses, phone numbers, credit card numbers, and CCV numbers. Forensic investigators were unable to conclusively determine what data was compromised, but know that at least some information was compromised.
This incident resulted from a hack of encrypted servers. The malicious code has been removed the hacker’s access has been terminated. We have no reason to believe there is a risk of a future attack on our Web site, but we will remain vigilant to identify any threats.
The web hosting firm was not named in Saratoga Sweets’ letter, but was named in the state’s metadata for the breach report as Mannix Marketing. Their name also appears as the host on Saratoga Sweets’ web site.
There is no indication as to when the hack actually occurred or for how long data were vulnerable. Nor does Saratoga Sweets offer any explanation as to why CVV data were stored.
Customers were offered free services through AllClear.
A copy of their notification letter is available on the Vermont Attorney General’s Office site. The AG’s site identifies the letter as “Mannix Marketing (Saratoga Sweets, Barkeater Chocolates, Olde Bryan Inn and Coffee Planet), suggesting that at least four other e-tailers should be notifying their customers, too.
There is no statement on Mannix Marketing’s site, nor on any of the sites for the businesses listed. Now what had some of us been saying about a need for a federal law that would require, in part, businesses to prominently a breach alert on the home page of their web sites?
UPDATE 1: We now have Mannix Marketing‘s notification, through their lawyers, to the New Hampshire Attorney General’s Office (pdf). They apparently learned of the breach on November 20, although it is still not clear to me when the breach occurred. Mannix is paying for the credit monitoring for affected customers of its clients.