Saturday, March 03, 2007
enlarge
Staff photo by Jim Evansfrom the Kennebec Journal
BUDGET CUTS ORDERED
Many happy returns in Richmond
Tax woes land on Whitefield
Rapist denied new trial
AUGUSTA MINDING A MINE
SPORT OF KINGS Falconry a blend of dedication and commitment
COLLEGE HOCKEY: Maine rallies but falls short against Boston College
COLLEGE ROUNDUP: Colby women win season opener at home tournament
All of today's:
News | Sports
from the Kennebec Journal
from the Morning Sentinel
WEDDING BURGLAR JAILED
Youths talk Turkey Day
Plenty of free Thanksgiving meals available
Turkey prices make for happier holiday
Kennebec County Superior Court
POLICE
COLLEGE HOCKEY: Maine rallies but falls short against Boston College
COLLEGE ROUNDUP: Colby women win season opener at home tournament
All of today's:
News | Sports
from the Morning Sentinel
Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February.
"This is a violation, this is a criminal act and it's on us," Harrington said. "We are a victim here; it wasn't like we had credit card information ready for the taking."
He said the FBI was immediately notified and the case is under investigation.
Todd Difede of the FBI's Portland office said it is not bureau practice to discuss criminal cases before the cases are adjudicated.
Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently, Harrington said.
He said the last known Internet Service Provider to register action involving the Johnny's case was somewhere in the United Kingdom.
Harrington said the security system was hacked in a very sophisticated, methodical way.
"Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site," Harrington said.
The company's "server farm" in Kentucky was the target, he said.
"They hack in there with the information they have, then they can get into information that's stored on the Web, which included credit card information," he said. "Since then, emergency measures have been implemented and the site is being monitored around the clock to ensure this doesn't happen going forward."
Letters have been sent to each of the account holders who then contacted their banking institutions and credit card companies to prevent further breaches and additional fraud.
Harrington said the breach was noticed on Feb. 18, when two customers called and said their credit cards had been compromised with fraudulent charges.
"They had shopped here as well as other locations," Harrington said. "As a security precaution, we immediately notified our Web vendor that handles our Web site, as well as our (information technology) department internally, and started hunting for any breaches in security."
The investigation by the company's emergency response team determined that the original illegal entry happened Feb. 4. The system was locked down, passwords were changed, hard drives were removed and multiple new security layers and software were put in place to make sure something like this does not happen again, he said.
Harrington said he has no idea why a relatively small seed company in rural Maine would become the target of an Internet sting. He said the Johnny's security system was no easier and no harder to access than any other private business.
"We asked the same question -- why us?" he said.
Harrington said the company had installed "hacker safe" software before the breach, but the system was compromised anyway.
"It wasn't a Web site hack," he said. "It was a breach of security from outside, into our internal security system's network here in Winslow, from which they were able to gather enough information from looking at screens and passwords, to then get into the Web site undetected, grab that information and leave."
Harrington said Internet fraud is nothing new. He pointed to recent breaches at T.J. Maxx and Bank of America systems as two examples.
Johnny's Selected Seeds is a mail-order seed producer located in Albion and Winslow. The company was established in 1973 by Chairman Rob Johnston, Jr.
Harrington said 70 percent of the company's customers are commercial growers. The company exceeded $13 million in sales last year.
The company's export department ships seeds internationally and throughout the United States, both in retail and wholesale, and in small and large quantities.
Harrington said the company employs about 130 people this time of year in anticipation of the spring and growing season.
He said the breach and subsequent investigation, mailings to affected customers and software corrections have cost the company tens of thousands of dollars. "This has really put a financial burden on us in the short term," he said.
Harrington said he thinks the company's quick discovery of the breach and its quick action to alert customers prevented the additional use of the stolen credit card data.
"I think we prevented a lot of things by early detection," he said.
Doug Harlow -- 861-9244
dharlow@centralmaine.com
Reader comments
Sort by: Oldest first | Newest First
It doesn’t really mater how customer focused or nice they are, they have been at least naïve, at worse negligent with the details of their customers credit cards. Maybe if they had spent ‘a lot of money making their servers more safe’ in the first place this might not have happened.
The internet is a bit like a shopping street where the shops have no locks in the doors and the windows have no panes. The hackers are not bored individuals but highly motivated and well funded international gangs.
The real impact to individuals of identity theft is not the loss of cash associated with fraudulent transactions, but when they are standing in the lobby of a foreign hotel four years hence, trying to explain why the anti fraud systems have turned down their credit card.
Are Johnny's aware of the requirements of PCI-DSS and will they comply?
report abuse
Yes the compant is responsible for the customers credit card information but what you don't know is that they do lose money. They have to pay out for every credit card stolen - and they pay out to the major credit card companies.
Also, they did spend a lot of money making their servers more safe. So instead of attacking every article on the website maybe you should do some homework first.
Johnny's is an excellent business that gives the customer the one on one attention that all companies should. It is unfortunate that some hacker on the other side of the world has nothing better to do with his life then steal credit card numbers. I just want to compliment Johnny's on how fast they contacted their customers (including myself) and the initive they took to do everything in their power to make the best out of a bad situation.
I will continue to do all of my seed shopping with them.report abuse
Also, you should never be storing credit card information in a webserver platform longer then tghe time needed to process the transaction. Soing anything else opens oneself to problems like this.report abuse
What a crock. It is the company's responsibility to secure their web and internal systems. They failed.
The big problem is that as it stands now a company that is breached has no financial responsibility. The banks that issue the cards take the losses. And the customers have their identity stolen.
So there is no incentive for a company like this to spend money to secure their systems. The law needs to be changed so that all losses fall back on the company that is breached - not the banks. Then maybe these businesses will consider security important.report abuse
You must be a registered user of MaineToday.com to post a comment. Register or log in.