[ISN] Breach, undetected since '05, exposes data on Kingston customers

From: InfoSec News (alerts@private)
Date: Tue Jul 17 2007 - 22:30:29 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9027220

By Jaikumar Vijayan
July 17, 2007 
Computerworld

A September 2005 security breach that remained undetected until 
"recently" may have compromised the names, addresses and credit card 
details of roughly 27,000 online customers of computer memory vendor 
Kingston Technology Company Inc.

The Fountain Valley, Calif.-based company began sending letters to 
affected customers informing them of the incident last week.

According to a spokesman, Kingston's IT team "detected irregularities" 
in the company computer systems at some unspecified point in time and -- 
along with a team of forensic computer experts -- began investigating 
the issues. It was not until after that probe was completed and a final 
report released on May 22 that Kingston could confirm the scope of the 
intrusion and its impact.

"After confirming what data was accessed and who was affected, Kingston 
had to gather the appropriate contact information and arrange for 
consumer protection services and materials to notify the impacted 
consumers," the spokesman said.

But the company did not offer details on how or when the breach was 
discovered and how long it waited to notify customers about the 
potential compromise of data. Kingston, which had $3 billion in sales 
last year, also did not offer any explanation on the nature and scope of 
the breach itself or why it remained undetected for so long. The 
spokesman added that the breach is believed to have been perpetrated by 
an external attacker.

In an e-mailed statement, the company said it has taken "aggressive 
steps" to minimize any potential risk to those affected by the illegal 
access. The vendor said it has contracted with New York-based security 
consulting firm Kroll Inc. to provide services such as credit monitoring 
and, if needed, "identity restoration" free of charge to affected 
customers.

"Following the discovery of the intrusion, Kingston engaged a top 
computer forensics firm to conduct a thorough investigation and assist 
in the development of even greater levels of system security to protect 
against future attacks," the statement said. The company did not 
elaborate on what those measures were.

The note added that, for the moment at least, there is no evidence that 
the illegally accessed data has been misused. "Kingston has always made 
customer privacy a priority and deeply regrets this situation, which is 
the first of its kind in the nearly 20-year history of our company," it 
noted.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 17 2007 - 22:43:29 PDT