yahoo

Friday December 22 9:50 AM ET Egghead.com: Hackers Tap Into Systems

MENLO PARK, Calif. (Reuters) - Internet retailer Egghead.com Inc. on Friday said that a hacker had accessed its computer systems, possibly its customer database, and it is now taking steps to protect its customers' credit card accounts and the security of the site.

The Menlo Park, Calif., company, which sells computer hardware, software and other home and office products via the Internet (http://www.egghead.com), said in a statement that it has retained an unnamed computer security firm to conduct an investigation and inspect its security procedures.

Egghead did not say how it learned of the security breach. Nor did it say whether any fraudulent purchases had been made or if any customer accounts had been tampered with. Company representatives could not immediately be reached for comment.

``As a precautionary measure,'' Egghead said in the statement, ``we have taken immediate steps to protect our customers by contacting the credit card companies we work with.

``They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected,'' it said, adding that it is also working with law enforcement authorities, who are conducting a criminal investigation.

-- Rachel Gibson (rgibson@hotmail.com), December 22, 2000

Answers

Egghead scrambles to gauge damage An intruder may have poached the online electronics and computer retailer's database of 3.7 million customers, including credit card information. The FBI and security experts are on the case.

On Friday, Egghead.com Inc. (Nasdaq: EGGS) acknowledged that the company's servers had been hacked by network intruders and its customers' credit-card numbers potentially stolen.

"Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases," said the online electronics and computer retailer in a statement early Friday.

"As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit-card companies we work with."

Entire customer database? Sources inside the credit-card industry told ZDNet News late Thursday that Egghead had turned over the names of 3.7 million credit-cards holders, any number of whom whose data could have been compromised.

"It's unclear, how much, if any of that has been compromised, and we have provided this information to the credit-card companies as a precautionary measure," said Shoreen Maghame, spokeswoman for Egghead.

In its October earnings release, Egghead stated that 3.6 million customers had registered to bid on or buy products using its service. Thursday's precautionary measure suggests that the company considered its entire customer database to be at risk from the break-in.

Egghead co-chairman Jerry Kaplan said Friday there was "no evidence" to suggest that any of the credit cards had been taken. At the same time, he could not say for certain that the database had not been pilfered.

"Somebody broke into the Web site, that doesn't mean the customer data was compromised," Kaplan said.

A team of auditors called in by Egghead expect to know within the week whether any credit card data was compromised, Kaplan said. He knew of no complaints about bogus charges surfacing from Egghead customers.

On Thursday, Egghead.com executives denied any break-in, and company officials did not respond to requests for comment until later that night.

Friday morning, the company acknowledged the intrusion in an early- morning press release.

By late Friday morning, law enforcement sources confirmed that Egghead.com had contacted them and that they were investigating the case.

Largest heist ever? Analysts and industry watchers say the Egghead.com break-in highlights the general lack of security that companies have for their servers.

"Server protection is really out of control," said Avivah Liton of researchers Gartner Group. Given the numbers, the heist is, far and away, the largest credit-card database infiltrated by cyberthieves to date.

A year ago, online music seller CD Universe lost more than 300,000 credit cards to a Russian thief, while earlier this month online credit-card clearinghouse Creditcards.com lost another 55,000.

Egghead's inability to determine how many of its customers had been compromised may mean that the company does not have a real-time auditing system in place, said Paul Robertson, senior developer for security service firm TruSecure Corp.

"If you don't know how many credit-card numbers you lost, you are giving a quick, blanket, worst-case answer--and then finding out what happened afterwards," he said.

Hacked servers by Microsoft Robertson said that Egghead.com is using Microsoft's Internet Information Server, a common e-business server, as the platform for its online service.

IIS is known to have had many security flaws. The two most common exploits are the remote data services flaw--used often by "script kids" to deface Web servers--and a relatively new Unicode exploit that can result in an attacker gaining complete control of the server.

However, Robertson said such holes should have been patched.

http://www.zdnet.com/zdnn/stories/news/0,4586,2668562,00.html? chkpt=zdhpnews01

-- Martin Thompson (mthom1927@aol.com), December 22, 2000.

I won't start a separate thread on this unless I can find an online article, but tonight's tv news is reporting that the computer system of the Calgary Regional Health Authority was "broken into" with several files "taken."

-- Rachel Gibson (rgibson@hotmail.com), December 22, 2000.