How To Create a Public Relations Nightmare
1. Leave a file containing sensitive, unencrypted customer information, including names, credit card info, addresses and phone numbers exposed to anyone on the internet for at least one full month. Ensure that the data exposed includes customers shopping during the Cyber Monday and Christmas shopping seasons, promising the maximum number of customers affected.
2. Notice problem; quietly delete file. Send out mass email of latest yarn sale.
3. Weeks later when large customer base learns of breach and complains loudly online, ignore them completely. Bonus points for attempting hyperdeletion of comments on your Facebook page.
Congratulations, Knit Picks. What could have been simply a stupid, embarrassing and common mistake has now cost you untold numbers of both past and future customers.
I'm just learning this information tonight so there is still a lot that isn't known. What best I can figure out from what has been posted on Ravelry and Facebook is that on December 21st a 'breach' occurred allowing an unencrypted file to be publically viewed on the internet.
From Privacy Rights Clearinghouse
Customers who had credit card numbers on file after using them at Knitpicks.com, ArtistsClub.com, or ConnectingThreads.com may have had their information exposed. A file on the Crafts Americana Group, Inc. servers was accessible for a period of time before being removed on January 25, 2013. The file contained names, credit card numbers, addresses, and phone numbers.
The file contained names, addresses, credit card info and phone numbers of Knit Picks, Artists Club and Connecting Threads customers. No word on how far back the records go but people are reporting stolen credit cards they used as far back as one year ago.
The "breach" was discovered on December 21. The offending file was deleted on Jan 25.
On February 11 the information was made public. Not made public to the customers affected, mind you. Made public to the Attorney General of California when Crafts Americana filed paperwork. And this is how knitters eventually caught wind of the issue.
As of today, February 16th there has been no communication from Knit Picks informing customers that their sensitive information has been compromised. No email alert, although I did get the email of their new yarn today. No mention on their website. Nothing has been written on their Facebook page. Nobody tweeted from their Twitter account. And no staff have posted to the fan group on Ravelry.
Knit Picks hasn't said a word. I learned about it from a post on Ravelry tonight. Most knitters are hearing the news from Ravelry, Facebook or Twitter.
This is turning into a social media nightmare for Crafts Americana, and frankly, at this point, they deserve it. They have been dealing with this problem for weeks now; they should have had a statement prepared.
 |
| Click for larger view. |
I was one of the people who had fraudulent charges on the credit card I used at Knit Picks. I understand companies get hacked and things happen, but when it does it is important to address it immediately and take action.
At this time it doesn't appear that Knit Picks was actually hacked. It looks like the file was left exposed on their server, not stolen by an outside source.
Furthermore, on Knit Picks site when you get to the check out they claim they don't save your credit card information, and yet thousands of customers just had their credit card information stolen.
Coincidentally, I was on my way over to KnitPicks.com to place an order but stopped by Ravelry first. That is when I learned of the security breach and in the next couple hours I have seriously reconsidered ever ordering from them again. The way they are handling this is inexcusable.
Adding insult to injury, Knit Picks is sending out a reply to some people who had emailed them stating:
Thank you for letting us know. We continue to monitor our systems and take security seriously. Any information we are given is immediately relayed to our IT Department. We have 2 companies monitor our websites, Norton Secured by VeriSign and Trustwave. We appreciate our customers letting us know of their experiences. A letter has been sent out to people who may be affected by this.They have two different security companies watching the site and still no one noticed that a file was exposed to the internet for at least one month? That's incredible.
 |
| Click to view larger size |
The Norton Secured guarantees that our credit card information is encrypted using SSL during data transmission.
Too bad it doesn't also guarantee that Crafts Americana will also encrypt that data when they store in on their servers.
How do you NOT encrypt credit card numbers?
 | |
| Click to view larger size |
Trustwave is an interesting one. First it says, "Your credit card and identity information are secure."
And then the disclaimer:
"Disclaimer: Trustwave Holdings, Inc. makes no representation or warranty as to whether Crafts Americana Group, Inc. systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised. Trustwave Holdings, Inc. makes no representations or warranties regarding this company's business activities or operations. Please contact the company displaying the seal if you have questions about their products, services or customer support. "
How can they claim that your information is safe and then put a disclaimer saying they have no way of knowing if your information is really safe? Don't those two cancel each other out?
I'd like to leave you with a screen cap from the Artists Club Facebook page:
 |
| "Safe from your husband and the Pentagon" |
Your credit card information is safe from your husband and the Pentagon. Assuming neither party has broadband access.
PrivacyRights.org
https://www.privacyrights.org/node/55899
State of California Department of Justice Office of the Attorney General
http://oag.ca.gov/ecrime/databreach/reports/sb24-38867
Submitted Breach Notification Sample Letter being mailed out to affected customers http://oag.ca.gov/system/files/Multi-state%20notification%20letter%20-%20Crafts%20Americana%20-%20letterhead_0.PDF?
WAIT.. someone actuall GOT a letter? because I'm still waiting on mine.
ReplyDeleteI'm shocked to hear that someone got a letter! I still haven't received one and guess I probably won't. Knit Picks either has no clue as to the extent of this data breach or is just outright lying about the window of purchases affected. I will never order from them any Crafts Americana company again. Shame on them for the way they handled this situation. This company deserves to fail.
ReplyDeleteI never received a letter, and was surprised a few weeks ago when my credit union called me and asked if I had used my debit card to charge $5.00. I was recovering from surgery and responded no, so they cancelled that card. I had to call, explain that their "service center" called me and advised me of the problem. I received a new card the following Tuesday, but as others have stated, I was unable to purchase groceries.
ReplyDeleteI still haven't received a letter either. Other than Knit Picks, the only other places I used my debit card was at the grocery store and the ATM at my bank.
ReplyDeleteI too was part of the customer base whose cards got used fraudlently. Actually, the credit card company stopped it and contacted me. My cards were canceled and I received new ones. KnitPicks NEVER let me know. I never got the letter they purportedly sent out, and only knew of it because I liked them on Facebook and saw it there. I have since unliked them and vented on their FB site to no avail. It's totally frustrating, because I LOVED their yarn, particularly their 100% baby alpaca for a wonderful price, and will never shop with them again because of this unacceptable practice of NOT letting their customers know what had happened. Just indefensible.
ReplyDeleteAs stated above, I am shocked that someone even received a letter. I own a LYS and have a KP wholesale account. After being reimbursed for defective needles, we will be closing our account. What I am most upset about isn't that my info was accessed, but that the company lied--about storing information, about having a breach, and about sending out letters to all affected. Also, their needles and cables are now made in China, and we are having major quality issues. We are now stocking Knitter's Pride--a much better product.
ReplyDelete