The president and CEO of Egghead.com Inc. has said that an internal investigation into the recent security breach at its Web site indicates that no customer data has been compromised because of an attack on its systems.
The company, which sells computers, software, consumer-electronic equipment and other products through its Web site, said the FBI is also investigating the security breach. The internal investigation is being led by New York-based Kroll Associates, a business investigations, security and intelligence firm.
Earlier this month, the on-line technology retailer disclosed that a hacker had managed to penetrate its computer systems, potentially including its customer databases, which contain credit-card numbers and other personal information.
However, in a statement, as well as in a letter to customers, Jeff Sheahan, CEO of the Menlo Park, Calif.-based company, said evidence uncovered by Kroll “suggests that Egghead.com’s existing security systems interrupted the intrusion while it was in progress.”
Sheahan also said that reports from the credit-card companies that Egghead.com works with indicate that suspected fraudulent activity has been observed on fewer than 7,500 credit-card accounts that appear in its system, which contains approximately 3 million credit card numbers.
“The evidence Kroll Associates and our team have gathered to date suggests that neither these, nor any other credit card numbers, were obtained from our site,” Sheahan said in the statement.
Julianne Presson disagrees.
Presson, who e-mailed Computerworld (U.S.) from her parents’ home near Berkeley, Calif., said she notified Egghead.com more than six months ago that her credit card number had been used by someone in Russia.
“I knew they got it from Egghead.com because that was the only [on-line company] where I used my credit card and within a week my card was debited for US$26.30 for a URL in Russia that didn’t even have a site up,” Presson said. “I’m really angry because Egghead.com did not even acknowledge my message to them.”
Presson said she was able to track down the hacker using NeoTrace, an Internet tracing product, and other software.
“I had to go dig to find the domain registration and get the info for the contact person,” she said. “Then I e-mailed him and told him I knew what he was doing. He was shocked that I had tracked him down. He said someone had gotten lots of card numbers and to expect more charges. I wrote back and told him there would be no more charges because I had changed the card number and I was going to get a refund from the bank, the Wells Fargo Bank in Payson, Ariz. I was told by the bank this happens a lot in Russia.”
Egghead.com spokesperson Shoreen Maghame said the company couldn’t find any information that Presson had previously reported a potential security-related problem.
“This is the first security breach that we’re aware of,” she said.
Even if none of the credit card numbers in question were stolen from Egghead’s databases, analysts said the company still has to convince consumers that its site is safe.
“The important thing here is that if these people feel they were victimized [by shopping at Egghead.com] they will not patronize Egghead again, no matter what happens,” said Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston.
Mark Rasch, the former head of the U.S. Department of Justice’s Computer Crimes Unit, said Egghead.com has to persuade people to use its site in the future.
“They have to put in effective measures right away to ensure the confidentiality [and security] of consumers’ credit card numbers and other personal data,” said Rasch, vice-president of Predictive Systems Inc., a New York-based network infrastructure consulting firm. “Egghead.com has a privacy policy that says they will do just that, so they are bound by law to do so.”
In its statement, Sheahan said with the assistance of Kroll Associates, Egghead.com has taken additional steps to increase its security in order to reduce the possibility of any further security breaches.