Alpha Software Inc., a business that focuses on development tools for businesses wishing to create AJAX-based platforms, recently announced a data breach in a manner so casual, some actually questioned if it was real.
A rather strange breach notification raised a few questions.
One Security Fix reader, who saw the notice from Alpha Software, asked Brian Krebs to investigate. It turns out that the notification was spot on. Alpha Software did suffer a breach and sent out the letter. The letter itself is bland, and comes off as unfeeling while placing all the blame elsewhere.
After reading the letter, Krebs commented that, “This is a bit like crashing into someone's car in a parking lot, and then leaving a note on the wrecked car's windshield saying ‘Gee, it looks like your car got messed up. That really stinks. You might want to have a mechanic look at it. Going forward, I'll try to pay more attention to those lines on the road. This will reduce the chances of your car and mine being in the exact same place at the same time.’”
So what did the notice say exactly to make Krebs so cynical?
Dear Customer,
We have been informed that there has been a security breach at the Internet Service Provider where our web site is hosted. This may have resulted in your credit card information being compromised. While it is entirely possible that your credit card information has not been stolen, in the interests of caution, we recommend that you contact your credit card provider to discuss what steps, if any, they recommend.
Going forward, we no longer store credit card information on our side. This will eliminate any risk associated with placing credit card orders on our site. We thank you for your support and look forward to helping you build your businesses and organizations with Alpha Five Version 10.
Sincerely,
Alpha Software
Krebs was right; it does appear that they were quick to blame someone else. The Washington Post reporter asked the co-chair of Alpha Software Richard Rabins to talk on record about the notification and breach. After ten days, Rabins provided no comment.
For the record, Krebs noted that he used Phone and email. Oddly, there is no official press contact listed for the company and only a Web form for initial electronic contact. Richard’s email is in the forums, so we emailed him to see if he would talk about the breach. He did respond, and we’ve have posted the questions and answers below.
The Tech Herald (TTH): How long after the breach was detected before you sent out the notices?
Richard Rabins (RR): Once we confirmed the breach. We sent the notice out the next business day. We wanted to have the shortest possible delay to ensure that our customers could take whatever action they needed to take as soon as possible
TTH: The notices appear to come off as impersonal, and offer no regret. Was this intended?
RR: Not at all. This was not intended - we have a long standing relationship with most of our customers and we certainly did not intend the notice to come off as impersonal or lacking in regret.
TTH: When contacted, Web.com said there was no breach. Were they not the ISP mentioned? If so, would you comment who was?
RR: Web.com was not the ISP in question. We are investigating and I do not want to compromise the investigation at this stage by disclosing who the ISP is.
When the security of Alpha Software’s flagship product Alpha Five was questioned over the breach, Rabins posted this to the forums, “The system we use to handle orders is a system that was NOT built in Alpha Five. It was originally designed BEFORE Alpha Five also became a web development tool! Numerous highly secure web apps have been designed with Alpha Five.”
When we asked about the system ourselves, Rabins told us, “…it was a custom e-commerce app that predated our web development tool, and it was an .asp application.”
As for the cause of the breach, Rabins said they have a “pretty good idea” what caused it, and have since “altered the system to prevent a reoccurrence.”
There were a handful of claims made by Alpha Software customers about odd purchases in the company forums. One of them reported a rather high charge to a store that sells ammunition.
Another said, “I had a $25 charge from Golfsmith on 11/10. I called them and was told to submit a claim to my cc company. I managed to get them to tell me what was purchased - A gift certificate that was sent to a yahoo email account. They would not give me the yahoo email address. I cancelled my card with the cc company.”
So far, based on forum comments, the cards compromised have been disabled, and the fraudulent purchases refunded. Despite what looks like a lack of passion or remorse, the notification from Alpha Software appears to have gone over well with most of those who commented.
What are you thoughts on the notice letter? Is it a simple run-of-the-mill notice, much like those sent by the larger firms? Is it too lackluster, should there be more information and perhaps maybe an apology? Leave a comment and share your thoughts.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story