[ISN] Credit card numbers reported stolen from R.I. state Web site

From: InfoSec News (isn@private)
Date: Sun Jan 29 2006 - 22:32:12 PST


By Ray Henry 
Associated Press 
January 28, 2006 

PROVIDENCE, R.I. - Thousands of credit card numbers were stolen from a
state government Web site that allows residents to register their cars
and buy state permits, authorities said Friday.

New England Interactive, the company that runs the Web site, also
manages Web sites for state governments in other states, spokeswoman
Renee Loring said. On Friday morning it listed Vermont, Maine and New
Hampshire as clients.

Loring said its other state Web sites were not affected.

The private company that runs RI.gov told the state this week that
4,118 credit card numbers had probably been taken, a state official
said. All online transactions were suspended Friday until any possible
security problems could be fixed, and the state planned to notify
cardholders of the breach, said Beverly Najarian, director of the
Department of Administration.

No fraudulent purchases had been reported so far, Najarian said.

NEI said using the stolen information to make a fraudulent purchase
would be difficult. The site's system only records partial credit card
numbers, Loring said.

The breach on Dec. 28 was detected during a routine security audit and
reported to the state government the following day, Loring said. At
the time, the company believed only eight credit cardholders were
affected, she said.

But soon after, an outside security firm discovered a Web site in
Russian listing the names and partial credit card numbers of several
residents, Najarian said. The site, purportedly written by a
university student, claimed he overslept class, found Rhode Island's
Web site and hacked into it. The posting details how he was able to
hack the site.

The purported hacker said he obtained 53,000 credit card numbers.

Loring said the total was much smaller, but would not put an exact
number on the amount, estimating it was in the thousands. She said she
did not know when NEI realized that breach was greater than first

Steven O'Donnell, spokesman for the Rhode Island State Police, said a
computer crimes team was investigating the case.

NEI tightened security, Loring said, although she declined to describe
the measures. She said the Web site is "absolutely safe" and the
intrusion was reported to financial institutions.

The state did not tell consumers about the breach in December because
the hacking appeared limited, Najarian said.

Jeff Neal, a spokesman for Gov. Don Carcieri, said NEI's contract to
run the state's Web site expires this summer and the governor's office
plans a review before deciding whether to extend it.

Officials at Vermont's Department of Information and Innovation did
not immediately return a call for comment.

Erin Hutchins, who manages the Maine government's site, said there
have been no reports of hacking. New Hampshire Fish and Game
Department spokeswoman Liza Poinier said New England Interactive
hasn't handled the transactions on its Web site for about 18 months.

The Rhode Island Web site allows residents to complete dozens of
transactions online.


On the Net:

Rhode Island state Web site: http://www.ri.gov
New England Interactive: http://www.neinetwork.com
Maine state Web site: http://www.maine.gov
New Hampshire Fish and Game: http://www.nhfishandgame.com

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Sun Jan 29 2006 - 22:37:13 PST