I really don’t understand why businesses that have had customer data hacked at their hosting provider do not name the host or third party. Why shield them from bad publicity when their security failure led to the business taking a reputation hit?
Here’s another example, this one from Nite Ize, who was notified of a breach involving their online store on March 11:
Our consumer-facing website, www.niteize.com, is hosted and managed by a third-party website services provider. We recently learned from our service provider that our online store was subject to an attack in early March, and as a result, approximately 309 credit card numbers and certain other customer information may have been accessed by unauthorized parties. We immediately worked with our website provider to block the attack, repair the system, and investigate the incident and damage it caused. We have reason to believe that your credit card information was among those compromised and have contacted our bank and the credit card companies so they can be alerted to any potential fraud or other unauthorized activity.
The other customer data involved may include information that you shared with us when creating a website profile or ordering products, such as your name, Nite Ize user name, Nite Ize password, mailing address, email address, credit card number, and/or telephone number(s).
To their credit, Nite Ize posted an FAQ on the breach on their web site, linked from their home page, with copies of their notification letters.