Even those who are conscientious may find themselves having to notify consumers of a breach, as One Love Organics discovered last month.
In a letter dated October 30 and signed by Suzanne LeRoux, President of the Georgia-based, LeRoux writes:
We had performed the required security and hardening procedures required by the Payment Card Industry Data Security Standard (“PCI DSS”). We also use a “payment gateway” in our web store. Your credit card number, expiration information and CVV code is not stored on our system and cannot be accessed by us. We thought we had done all that could be done to protect your information.
So how did the breach occur? LeRoux explains:
On October 15, 2014, we learned that an attacker using the Internet was able to gain access to our web server through a vulnerability in the shopping cart system utilized on our website. The intruder uploaded a malicious PHP script via SQL injection to obtain access to the payment gateway integration code. This allowed the attacker to capture customer account information as it was entered. Some or all of the orders placed on the website between August 24th and October 15, 2014 may have been compromised.
Those notified were not offered any free services, but were given advice as to how to protect themselves. They were also offered a 25% off coupon valid until the end of this year.
A copy of the notification letter can be found on the Vermont Attorney General’s website, here.
Update: Their report to the New Hampshire Attorney General’s Office indicates that 487 customers were affected, total.