FBI probes extortion case at CD store

Taking advantage of an apparent security breach in CD Universe's database, a hacker posts links to customer information after purportedly failing to extort money from the online music store.

4 min read
Taking advantage of an apparent security breach in CD Universe's database, a hacker posted links to potentially thousands of customer names, addresses and credit card numbers after purportedly failing to extort money from the online music store.

The hacker, who goes by the name "Maxus," claimed to have tapped into an estimated 350,000 user names and credit cards from CD Universe. Before posting access to the information through a Web site identified only by its IP address, he demanded $100,000 from the Connecticut-based Web store.

In a statement issued today, eUniverse, which owns CD Universe, acknowledged that a portion of its customer data had been stolen. The company said it had notified the FBI after the hacker attempted blackmail. The FBI shut Maxus' Web site Saturday after it was discovered, the company said.

The hacking is the latest in a string of online privacy-related incidents that have come to light in just the last few weeks. These cases, along with concerns that were heightened by the holiday shopping season, have revived questions about what companies are doing with confidential customer information.

An FBI representative in Connecticut said the bureau was investigating the potential extortion of CD Universe but declined to comment further.

"We take great pains to safeguard the privacy of our customers' information and will take all necessary action to limit any loss or inconvenience to customers, which may occur as a result of this unusual occurrence," company chairman Brad Greenspan said.

In an email message to reporters, a person claiming to be Maxus indicated that he had previously broken into systems using e-commerce transaction software ICVerify. A representative for eUniverse could not confirm whether the company does indeed use ICVerify but believed that it did.

ICVerify and other payment verification programs owned by CyberCash ran Security, privacy issues make Net users uneasy into a Y2K-related problem that doubled-billed consumers for transactions if merchants didn't install software to fix it. However, ICVerify does not seem to have a track record of vulnerabilities, according to Frank Prince, an analyst who covers security technology for Forrester Research.

Prince stressed that there is no evidence yet that Maxus actually broke into CD Universe's systems. The hacker could have obtained the data from an inside source who copied the database onto a floppy disk and then sent it to the hacker.

"Could this be a new exploit of some kind? It could be," Prince said. "Do we know that to be true? No we don't."

Security experts said that even if there was a breach in CD Universe's payment systems, they doubt that the same problem could be exploited within like systems at other Web stores. Online merchants use a variety of transaction software, and even those that run the same system software often use different versions of it, said Rex Baldazo, an analyst with Jupiter Communications.

The security breach at CD Universe comes as privacy concerns have again jumped to the forefront of Net users' concerns. Last week, Northwest Airlines said that it had experienced a security breach in its Web site, Amazon.com's Alexa Internet was sued by a user over privacy concerns, and the Federal Trade Commission reached a settlement with ReverseAuction.com concerning a spamming incident on eBay.

For its part, eUniverse is notifying its customers that their credit card information might have been compromised, said Brett Brewer, the company's vice president of e-commerce. eUniverse also is working with the credit card companies to cover any possible fraudulent charges. Consumers are normally responsible for the first $50 of charges made without their consent.

But Ethan Preston, a law clerk with the Electronic Privacy Information Center, criticized the company for keeping so many records on file. Preston contends that no company can completely secure its data, let alone large amounts of stored files. Companies should regularly purge old data to protect users' privacy, Preston said.

"When you consent to a credit card transaction, you assume the information will be used for that single transaction," Preston said. "When it is held beyond that transaction, it can be used in ways that you're not comfortable with--and if their security isn't strong enough, you've got a real problem."

"Credit card theft is probably more common than we think," said Elias Levy of security firm Security Focus. "There is an incredible amount of small to medium e-commerce sites out there taking credit cards for payment online that did not secure those credit cards correctly or enough."

The troubling thing about stealing credit cards over computer networks is that so many can be obtained in one fell swoop, Levy said. "When you get broken into, you lose possibly hundreds or thousands of credit cards. It's not like going to the Dumpster next to the restaurant and seeing a couple carbon copy receipts," he said.

News.com's Stephen Shankland contributed to this report.