Back in April 2013, 80sTees (80sTees.com) notified a number of state attorneys general that their customer payment card data had been compromised.
According to reports to New Hampshire, Vermont, Maryland, and California: on January 29, 2013, the Pennsylvania-headquartered firm was asked by Discover to examine their system after suspicious charges were noted on customers’ cards following purchases on their web site. In response, 80sTees stopped storing credit card data, removed all stored card data from their system, contacted the Secret Service, and brought in forensics examiners. At that time, they found no evidence of any intrusion or vulnerabilities on their server.
On February 27, they learned that a small number of Visa customers had also experienced fraudulent charges on their cards following transactions on their web site. On March 6, they learned that a large number of MasterCard customers had experienced fraudulent charges going back to the second half of 2012.
On March 12, the forensic investigator determined that malware had been inserted on their system sometime in early June 2012. The malware had bypassed 80sTees’ anti-virus and malware scans.
As a result, in April 2013, 80sTees notified approximately 3,503 customers, even though the forensic examiner had reported that 2,598 were affected as of April 22, 2013. American Express also notified its customers, although their letter did not name 80sTees as the affected merchant.
But that’s not where the story ends, it seems. On April 30, 80sTees heard from two customers who experienced fraudulent charges after April transactions. 80sTees reported that to the Secret Service, who reportedly then placed a hold on notification letters so as not to interfere with their investigation. That hold was only lifted on January 23, 2014, when the Secret Service completed its investigation. The investigation determined that the card data was being exfiltrated to an external e-mail account.
Based on what they learned, 80sTees decided to notify all customers who ordered through their site during the period June 3, 2012 – April 30, 2013 if they had not already been sent notification letters in April 2013. Those letters were sent out this month. Of note, their letter to affected customers says that although the Secret Service was not able to definitively determine the person responsible for the intrusion, based on the information the firm has at this time, they believe the attack was the work of a former high-level employee who has since died. They also note that there appears to be no connection between this incident and attacks on major retailers.
In their February notification letter, they again do not offer those affected any free credit monitoring services, but that may be because they believed that all the compromised accounts had already been cancelled by the card issuers. They did offer affected customers a profound apology and a 50% off coupon with a value up to $100.00.
80sTees also took a number of substantive steps to improve the security for customer transaction data, and infosec people will find their somewhat detailed explanation of steps they have taken interesting to review.