Web.com issued the following press release today:
Web.com reported that it discovered an unauthorized breach of one of its computer systems on August 13, 2015. As the result of this attack, the credit card information of approximately 93,000 customers (of the company’s over 3.3 million customers) may have been compromised. The company uncovered the unauthorized activity through its ongoing security monitoring.
The company immediately reported the attack to credit card processors and the proper federal and state authorities. As a further precaution, Web.com is providing a year of credit monitoring protection to impacted customers. Web.com is working with a leading IT security firm to conduct a thorough investigation, and continues to make significant investments in its internal security processes and systems to prevent incidents like this from occurring.
“The security of our customer information is a high priority for Web.com. Our goals are simple – to protect our clients from internet attacks and, in the event that an attack succeeds, to fix the problem immediately,” stated David L. Brown, chairman, chief executive officer and president of Web.com.
All customers that may have been impacted by this breach will shortly receive an email detailing the steps the company is taking. In addition, a letter, sent via the US Postal Service, will follow in the next few days. Finally, the company has posted a list of Frequently Asked Questions on http://security-faqs.web.com.
Neither the press release nor the FAQ on the incident indicates when the compromise occurred; only when it was discovered, although the FAQ indicates that the firm “quickly uncovered” the unauthorized activity through its ongoing security monitoring.
The FAQ describes the type of information involved:
Our investigation indicates that the credit card information of approximately 93,000 customers (of the company’s over 3.3 million customers) has been compromised, including the name and address attached to these credit cards. Importantly, the card validation codes were not compromised, and no other customer information was accessed.
The FAQ also notes that its clients’ online customers would not be affected by this incident.
Significantly, Web.com says it’s data retention policy is to retain data for seven years. They retained credit card numbers for 7 years?? I hope that’s poor writing on their part, but if it’s not, someone should investigate their policies and data security.
Update1: Web.com subsequently informed Threatpost that all credit card data is encrypted. Okay, but it’s still being retained for too long and that needs to be addressed.