[ISN] Storage Company's Online Security Breach Exposed

From: InfoSec News (isn@private)
Date: Thu Jun 29 2006 - 01:52:55 PDT


http://cbs5.com/topstories/local_story_178210503.html

By Sue Kwon
Reporting
Jun 27, 2006

(CBS 5) A CBS 5 investigation has confirmed a security breach at a
popular self-storage company that may have exposed customers' private
information on its website.

AAAAA Rent-A-Space has taken its online payment system offline and is
notifying thousands of customers to check for identity theft after CBS
5 told the company about a flaw on their website.

Howard Fortner describes the security at AAAAA Rent-A-Space in Colma
as tighter than Fort Knox. So he was surprised when the cyber gate was
left wide open on the storage facility's website.

While trying to make an online payment, Fortner says he accidently
typed in someone else's storage unit number along with his password,
which is his phone number.

Up popped another customer's private information, including a name,
address, credit card, and Social Security number.

"I thought about mine's as vulnerable as that one," Fortner said. "I
tried it with a different number, and several accounts opened up."

His password opened at least five other customer profiles.

After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company
worked with the Arizona software developer who created the site's
account-based program called "Web-Expres." By late Tuesday afternoon,
they found the glitch and have taken the payment system offline until
it is patched.

AAAAA Rent-A-Space says its online payment system has been up for a
year with no other incidents reported.

The company says it plans to mail out 13,000 letters about the
discovery to custmers in California and Hawaii, including those who
have items stored at the 10 Bay Area facilities.

(© MMVI, CBS Broadcasting Inc. All Rights Reserved.)



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 29 2006 - 02:05:58 PDT