First, there was this:
On January 25, 2017, Combat Brands began investigating some unusual activity reported by its credit card processor. Combat Brands immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on its systems. On February 23, 2017, Combat Brands discovered that it was the victim of a sophisticated cyber-attack that resulted in the potential compromise of some customers’ debit and credit card data used at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com between July 1, 2015 to February 23, 2017.
Since that time, Combat Brands has been working with third-party forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. Combat Brands removed the malware at issue to prevent any further unauthorized access to customer debit or credit card information. Combat Brands is also working with the Federal Bureau of Investigations to investigate this incident. Customers can safely use their payment card at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com.
Source: Notification of April, 2017.
But then there was this…
We recently learned that we were the victims of a sophisticated cyber-attack that may affect the security of your payment information. We are providing you with information about the incident, steps we are taking in response, and steps you can take to protect against fraud should you feel it is appropriate.
What Happened? On October 6, 2017, while in the process of running routine scans, we identified some unusual code that was running on our website. On that same day, we discovered that we were the victim of a sophisticated cyber-attack that resulted in the potential compromise of some customers’ debit and credit card data used at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com between July 1, 2015 and October 6, 2017.
Since that time, we have been working with third-party forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. We removed the malware at issue to prevent any further unauthorized access to customer debit or credit card information. You can safely use your payment card at our websites.
Source: Notification of November, 2017.
So since they were first alerted by their credit card processor in January 25, 2017, they were unable to really totally remove disinfect the malware, despite reassuring consumers in April that all was good and it was safe to use their payment cards? Well, they’re not the first who have had that unfortunate experience, but…
There’s actually more….. and you probably never saw and will not see a notification letter concerning what appeared to be yet another security incident unrelated to the one described above.
From my files:
Subject: Olark Chat Transcript – Abbie – Dissent
From: [email protected]
Date: Sat, April 22, 2017 09:51
To: [email protected]
Site: http://www.combatsports.com/security-privacy-policy
2017-04-22 09:45 AM CDT
Transcript ID: keOgqZoMKN3KCE0B1X9pD0ToU14D31AV
You
I’m a journalist/breach reporter and investigator who often gets tips about breaches from researchers. This is not about the breach that Combat Brands already disclosed/reported. This is a SECOND problem: A researcher who routinely scans for exposed databases on shodan.io search engine contacted me to tell me that some Combat Brands and FightGear backups are exposed and freely available to the entire world at the following IP address: 159.203.104.47
Abbie
Good mornig
You
Good morning.
Abbie
I will certainly pass this on to the proper department
Thank you for the information
You
Excellent. Tell them the problem is that Port 443 is open by default and it got indexed by Shodan.io
I see two Fightgear backups from 2016 in there and CombatBrands files.
Abbie
I certainly will
You
Can you please have them email me: [email protected] to confirm when they have secured this?
Abbie
I will pass this information to them
they will not be in until Monday
You
so the data will still be leaking or anyone can be copying it. Not great… 🙁
If you have an escalation procedure, this would be suitable use.
Abbie
Thank you
I just sent email
You
ok, good luck…
They never contacted me after that chat. Did they determine whether any others accessed the unsecured backup files? Was there any payment card info or personally identifiable information in those backups? Were any consumers notified?
And should customers feel safe providing their information to this firm? Would you?
They just sent notification letters. I wasn’t aware of the previous security breaches.
I will never shop through their site again until they change their processing and hosting. since they clearly cannot be trusted. Maybe this explains their desperate attempts this year to lure people in with 40%-50% off coupons on all Combat Brands merchandise. Seemed too good to be true.
I think that every website should go through an existing payment processor that uses 2-factor, like Google Wallet or Paypal.
The question is; What were they doing between April 22 (when you alerted them) and October 6?