Eugene D.

Fanning Center for Business Communication Mendoza College of Business University of Notre Dame

00-12(A)

CD Universe and Internet Security (A)

On January 7, 1999, officials at CD Universe learned that credit card information from 25,000 of their customers had been stolen and posted on the Internet. Major media outlets including CNBC, CNN, The New York Times, The Financial Times and The Los Angeles Times began reporting about the incident shortly thereafter. Brad Greenspan, Chairman of the CD Universe parent company, eUniverse, quickly gathered members of his corporate communication staff and their public relations firm. He knew customer confidence was a key to the companys Internet success, and hoped this would not adversely affect their strong reputation.

In late 1999, a hacker calling himself Maxus was able to obtain customer files for more than 300,000 current and former CD Universe customers. This information included their names, addresses, credit card numbers, and expiration dates. Maxus, who claimed to be a teenager living in Russia, demanded US $100,000 to fix the security problem he had uncovered. On December 25th, angry the company ignored his e-mail and faxes, Maxus opened MAXUS credit cards datapipe (See Exhibit 1). This site featured the credit card information of 25,000 customers and encouraged visitors to use it. Apparently upset at the lack of response from CD Universe, Maxus e-mailed SecurityFocus.com on January 6th to inform them of his actions. SecurityFocus.com, a California based computer security firm, then alerted CD Universe and the media about the existence of the site the following day. CD Universe notified the FBI of the situation, and the web site was shut down on January 7th. According to the web sites counter, more than 25,000 credit card numbers had been downloaded.
This case was prepared by Research Assistants Mike Delahanty, Brendon Scott, and Bryce Simms under the direction of James S. ORou rke, Concurrent Professor o f Ma nagement, as the ba sis for class discussion rather than to illustrate either effective or ineffective handling of an administrative situation. Information was gathered from corp orate as well as p ublic so urces. Copyright 2000. Eugene D. Fanning Center for Business Comm unication. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form by any m eans electronic, mechanical, photocopying, recording, or otherwise without permission.

Key Facts of the Security Breach

ot

op

2 Company Profile

CD Un iverse an d Intern et Sec urity (A )

CD Universe is an online music retailer and a subsidiary of eUniverse, Inc., which owns a network of popular online interactive community, editorial and entertainment-focused commerce web sites. Besides CD Universe, its on-line commerce properties include VideoUniverse and GamesUniverse. Leading gaming community and content sites include BigNetwork, Gamers Alliance, Funone, Cases Ladder and LivePlace. The Internet retailing industry grew at an astonishing rate in 1999. On-line sales rose from $1.7 billion per month in 1998 to $3.6 billion in 1999. Music was the number two product purchased on-line, behind books. With an estimated customer base of more than 300,000, CD Universe had become a mid-size music retailer. Larger competitors like Amazon.com, Barnesandnoble.com and CD Now dominated this extremely competitive and fragmented sector. Historically, CD Universe had been rated among the top online retailers in both customer satisfaction and service as rated by third party rating services such as Gomez.com and Bizrate.com. eUniverse is headquartered in Wallingford, Connecticut. The company went public on August 14, 1999 and its stock is traded on the OTC Bulletin Board under the ticker symbol EUNIE. Revenues for the fiscal year ended March 31, 2000, were $9.1 million and were projected to be $16 million in 2001. The Company lost $6.3 million in the nine months ended December 31, 1999. eUniverse had 6.3 million unique visitors to its web sites in February 2000, ranking it as the 28th largest Internet property. Information Systems and Security

Maxus told the The New York Times via e-mail he could breach ICVerify, which is a credit card verification software program used by CD Universe and sold by Cybercash, Inc. Cybercash is an electronic commerce security firm based in Reston, Virginia, and has both retailers and banks as customers. Scott Collison, a former official at Signio, an Internet payment processing firm and competitor of Cybercash, was quoted in The American Banker saying, that an earlier version of Cybercashs system stored credit card data in a data base on the merchants premises, and could be accessed if security measures were not appropriate. There was a big burden on the merchants side to maintain the system. According to Collison, Cybercashs newer versions of the system maintain the data base on its own property. Daniel Lynch, Chairman of Cybercash, told reporters that Cybercash had discovered a security flaw in ICVerify about a year earlier, but had created a software patch for it and notified its clients. He did not know, however, if all the clients had installed the patch. Chuck

ot

op

CD Un iverse an d Intern et Sec urity (A )

Riegel, Vice President of marketing at CyberCash said in press interviews that their product was no longer being used at CD Universe. Officials at eUniverse would not discuss what security measures were used at any of its sites. This was not the companys first incident with security problems. Previously, CD Universe had sent on-line confirmations for orders placed on the Yahoo! Shopping site. These confirmation notices included the name, address, and credit card information of the customers, and were sent in a plain text format that could be easily intercepted. MasterCard and Visa developed an Internet security standard in the mid-1990s called the Secure Electronic Transaction (SET) Protocol, which was not used by CD Universe. SET is a protocol used by on-line merchants to secure the submission of customer data to the e-retailer. While SET does not validate the authenticity of either party, it does issue a digital certificate to both the merchant and the cardholder that prevents the transmission of the credit card information over the Internet.

After learning of the theft on January 7th, the company immediately notified the FBI and Lightrealm, Inc., which shut down the Maxus web site. Lightrealm is an Internet carrier based in Kirkland, Washington, which was not aware that the hacker was using their system to operate the site. However, thousands of visitors took Maxus up on his offer before the site was closed. Before the site was shut down, a traffic counter indicated several thousand visitors had downloaded more than 25,000 credit card numbers since Christmas Day. On Monday, January 10th, CDUniverse publicly confirmed the theft of customer data from its web site. We take great pains to safeguard the privacy of our customers information and will take all necessary action to limit any loss or inconvenience to customers which may occur as a result of this unusual occurrence. Refusing to bow to this new breed of cybercriminals, we have taken a stand against a new form of online blackmail on behalf of all legitimate e-commerce retailers, said Greenspan, in a January 10th press release. We are working with the major credit card companies to limit any losses or inconvenience associated with the theft of the data, said Brett Brewer, director of Investor Relations. eUniverse also addressed the security issues pertaining to the misappropriated data. While the company confirmed the theft, they did not reveal details on how the security system was penetrated, where the credit card data was stored or whether the Cybercash systems were to blame. Greenspan stated CD Universe was not ready to conclude Maxus had manipulated the Cybercash system to obtain the customer data. The company retained a major New York technology security firm, Kroll-Ogara, to review its security procedures.

Company Response

ot

op

4 The firm sent an e-mail (See Exhibit 2) to individual customers on January 14th, one full week after the company learned of the breach (for a timeline of events see Exhibit 3), to be aware of and report any unauthorized credit card usage. eUniverse subsequently sent customers a $5 gift certificate for the inconvenience. eUniverse also worked with the major credit card companies to limit customer losses; in what is believed to be the largest credit card recall ever over 300,000 cards were replaced. Generally, credit card holders are responsible for up to $50 of unauthorized charges. Questions 1. 2. 3. In an increasingly competitive electronic marketplace, what would you do if you were Brad Greenspan? What is at stake for CD Universe? In light of the other past security breaches at CD Universe, how should they communicate to their customers that Internet transactions are secure?

4. 5. 6. 7. 8. 9.

What is the best strategy in addressing the issues at hand? Is the letter from Brad Greenspan enough? What responsibility does CD Universe have in setting security standards in this new e-commerce world? Did CD Universe respond properly to the hacker?

What would be an effective corporate policy for responding to security threats by outsiders? Can you suggest a list of standards for CD Universe to put in place for future security threats? What impact will this incident have on consumer confidence in on-line shopping? Sources

eUniverse Confirms the Theft of Customer Data From Its CD Universe Subsidiary, PR Newswire, Monday, January 10, 2000. Pollak, Anne. Technology; Credit Card Data Stolen, Posted on Net, Bloomberg News as printed in the Los Angeles Times, Tuesday, January 11, 2000.

ot

op

CD U niverse and Internet S ecu rity (A)

Kelsey, Dick. Teen Loots CD Site of Customer Data In Blackmail Plot Update, Newsbytes full text 2000 Financial Times Information Ltd, Tuesday, January 11, 2000. Markoff, John. Thief Reveals Credit Card Data When Web Extortion Plot Fails, The New York Times, Monday, January 10, 2000. Marjanovic, Steven. Theft of Card Numbers Casts Doubts on Webs Security for Commerce, The American Banker, Inc., Tuesday, January 11, 2000. Lee, Richard. Russian Hacker has Local Impact, Record-Journal, Tuesday, January 11, 2000. Kreinin Souccar, Miriam. SET Protocol Gets 2d Look After Wave of Web Breaches, The American Banker, Tuesday, March 21, 2000. Kehoe, Louise. Hacker Forces Card Recall, Financial Times (London), Thursday, January 20, 2000. Kluger, Jeffrey. Extortion on the Internet: A Daring Hacker Tries to Blackmail an E-tailerand Sparks New Worries About Credit-Card Cybertheft, Time, January 24, 2000. eUniverse Delivers 66% Increase in Revenue over Q299; eUniverse Demonstrates Successful Execution of Business Model with 126% Increase in Advertising Revenue in Q3 Versus Q299, PR Newswire, Friday, February 4, 2000. eUniverse and Take2 Interactive Forge Partnership to Promote Games Online; Multi-Million Dollar Partnership Includes Ad and Sponsorship Buys Across Premier Entertainment Network as Well as Cross-Promotional Opportunities for Global Interactive Entertainment Software Developer, PR Newswire, Friday, March 31, 2000. Tsuruoa, Doug. As E-Commerce Insurance Gains But Slowly, as Policy Writers Still Trying to Grasp All of the Liability Issues Associated with Doing Business in Cyberspace, Investors Business Daily, February 16, 2000. Ceniceros, Roberto. Managing E-Commerce Risk; New Coverage Introduced to Protect Against First-,Third-Party Risks, Business Insurance, Monday, January 24, 2000. Mitkowski, Ethan D. Online CD Store Fixes Holes, Record-Journal, January 17, 2000.

ot

op

6 Exhibit 1: MAXUS credit cards datapipe Hello, my name is Maxus. I would like to present you a credit cards datapipe. If you press the button you will get a real credit card directly from the biggest online shop database. No kidding.

CD Un iverse an d Intern et Sec urity (A )

Hmm, still no reply from the shop! I can't wait any more! Use this fucking cards guys: Click here for virgin credit cards The while: listen to DJ Maxus music, click HERE. Do you wanna be invisible? Click HERE. If: 1) you are interested in thousands of virgin credit cards; 2) you know how to get money from credit cards (at least $300 per day); 3) you know where i can open bank account anonymously for $300 or cheaper (i got a passport/id copy); 4) you know how to get credit card anonymously for $300 or cheaper; Then: please leave me a note or send me an email. OFFICIAL NEWS 1. I got reply from the shop! 2. Datapipe is closed for 1 day. Sorry, I need to know: do they wanna pay or not? OFFICIAL FAQ Q1: Why? A1: Maxus: "I found a security hole. Pay me and I fix it" Shop: ---no reply--Maxus: "Pay me or I publish it" Shop: ---no reply--Maxus: "OK, I'll wait for Thuesday" PS: messages sent via e-mail and fax Q2: Why expiration date is 02/00-04/00? A2: Why not?

Carders guestbook is here E-mail: 1@ng.net Copyright 1999 Maxus

ot

op y

CD Un iverse an d Intern et Sec urity (A )

Exhibit 2: cduniverse credit card info was stolen cmanson from ny January 23, 2000, 04:44:37 PM i received the following email from cduniverse.com and will never use cduniverse.com again. i requested my account be deleted from their computer system. Date: 14 Jan 2000 15:23:35 -0000 From: "CD Universe" <cduniverse@igl.net> Subject: Important Notice! Reply To: manager@cduniverse.com As a valuable customer of CD Universe, we wanted to alert you to the fact that we have recently become aware that a portion of our customer information has been stolen. Along with several other online merchants, we were the target of a sophisticated hacker. We are taking every conceivable step to make sure the information you have provided to us in the past for ordering online is secure and remains so. However, there is a chance that the loss of such CD Universe customer information could result in fraudulent charges on your credit card. For your safety, we suggest you monitor your credit cards closely over the next few weeks and report any suspicious activity to your credit card company and CD Universe as well. We also suggest you change your password by emailing our customer service department at password@cduniverse.com. If you have any questions, please feel free to contact our customer service department at 1.800.231.7937 or questions@cduniverse.com. Our customer service department is open Monday through Friday 9 AM to 10 PM. Once again, I apologize for the inconvenience. We appreciate your business and will do everything we can to help you during this process. Thank you for your patience. Please also feel free to contact me directly at bgreenspan@euniverse.com. Sincerely, Brad D. Greenspan Chairman, eUniverse / CD Universe http://www.cduniverse.com/asp/cdu_main.asp?frm=lk_news Copyright 1999 Gomez Advisors, Inc. contact@gomez.com

ot

op

8 Exhibit 3 Timeline of Events

CD Un iverse an d Intern et Sec urity (A )

December 1999 - Extortionist calling himself Maxus sends a fax to CD Universe offering to not post the misappropriated credit card data or disclose he has the information in exchange for US$ 100,000. Saturday, December 25th - Maxus starts placing the credit card files on a web site after the company did not respond to his demands. Thursday, January 6th - Apparently upset eUniverse did not respond Maxus emailed SecurityForcus.com, a computer security firm based in San Mateo, California. Friday, January 7th - SecurityFocus.com alerts eUniverse and the media to the existence of a web site that Maxus had been using for two weeks to distribute 25,000 stolen credit card numbers. The company contacted the FBI and the web site was immediately shut down. Monday, January 10th The Company publicly confirms the theft of the data from its web site. United States Attorney General Janet Reno called upon the states to increase surveillance of cyber-crime. The companys stock price drops $.75 to $4.50. Friday, January 14th The Company sends e-mail to customers notifying them of the theft and suggested they monitor their credit card activity closely.

ot

C op y