Want CNET to notify you of price drops and the latest stories?

Lengthy Egghead investigation costs banks millions

While the e-tailer spent weeks to conclude that hackers did not get to any credit card information, banks and credit unions paid millions of dollars to reissue cards and compensate employees for overtime.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
While Egghead.com spent weeks to determine that intruders did not access its 3.7 million-customer database, banks and credit unions paid millions of dollars to reissue credit cards and compensate workers for holiday overtime.

Click here to Play

Egghead CEO explains hack attack
Jeff Sheahan, CEO, Egghead

"The attackers broke in, and whether they stole the credit card numbers or not, they created the same amount of damage," said Bruce Schneier, chief technology officer of Counterpane Internet Security.

A company with good security and logging capability should have been able to determine the extent of the intrusion within a few days, security specialists said. In this case, that may have saved banks and credit unions the millions of dollars it was estimated to cost them in what was ultimately an unnecessary effort to cancel the cards.

Egghead, based in Menlo Park, Calif., announced Monday that its investigation indicated that the company's security system interrupted the intruders before they could access customer information. Although Egghead said on Dec. 22 that it expected to learn the extent of the hack within five days, the investigation ended up taking 20 days.

Egghead chief executive Jeff Sheahan apologized for the inconvenience but defended the length of the investigation.

"That was me wanting to be accurate and comprehensive," he said. "I had to sacrifice some speed, but I will take accuracy any day."

Sheahan said Egghead's computer system first detected an intruder Dec. 18. When the network administrator could not assure Sheahan that no credit cards had been taken, he sent them back to investigate further.

On Dec. 21, Egghead hired an outside security team and notified the credit card industry of the intrusion. It announced the intrusion to customers and the public on Dec. 22.

On Monday, Sheahan sent an email to customers saying the internal investigation "has uncovered evidence which suggests that Egghead.com's existing security systems interrupted the intrusion while it was in progress, and that customer data has not been compromised."

The length of the investigation indicates that Egghead did not have the monitoring technology or logging capability to determine what had been accessed, security consultants have said.

"It sounds like they had to do a full forensics analysis to find out what happens. Two and a half weeks sounds about right," said "Weld Pond," the director of research for security firm @Stake, who goes by his hacking name.

Among the credit card issuers who have canceled the cards on the Egghead list are Providian, Citibank, First USA, and several credit unions and smaller banks.

Technology Credit Union, based in San Jose, Calif., estimated that it will cost them several thousands of dollars to replace the cards of less than a thousand members whose names were on the Egghead list.

It costs a credit card issuer between $2 and $5 to cancel and reissue a card. And customers must go without a card until a new one is issued and sent to them.

"It's a lot of work for nothing," said one banking executive, who asked not to be identified. "Our members are very appreciative, but it has cost us two nights of overtime to deal with the (potentially) stolen cards."

Customers are also inconvenienced, as many of them use the cards to automatically pay some monthly bills, said Kari Grove, a supervisor at Desert Schools Federal Credit Union in Phoenix, which had 524 credit cards on the Egghead list.

"If that happened to me, I would be furious," Grove said. "Mine is tied to a lot of charges."

Egghead said a small percentage of the cards have shown fraudulent activity--about 7,500 out of the 3.7 million cards--but the fraud may stem from other hacking incidents. Just days before the Egghead intrusion, a hacker posted about 55,000 credit card numbers on the Internet after a failed extortion attempt against Creditcards.com.

"We have taken additional steps to reduce the possibility of future incidents by continuing to strengthen our security measures," Sheahan said in his email.