Hack of Amazon.com's Bibliofind compromises customer data

Computerworld - Bibliofind.com, an online marketplace for rare and hard-to-find books that's owned by Amazon.com Inc., yesterday disclosed that a malicious hacker had broken into its Web site, compromising the security of the customer credit card information processed on its servers between October and February.

Jim Courtovich, a spokesman for Waltham, Mass.-based Bibliofind, said about 98,000 users had been affected. But he added that the company had no information to suggest that anyone's credit card data had been misused.

"In February, there was a defacement to our site," Courtovich said. "When that was investigated, it came to our attention that a hacker had been hacking into our site since October and had downloaded compressed files containing customer information." Systems administrators at Bibliofind didn't detect the activity during routine maintenance checks, he said.

Courtovich said the company has notified the affected users as well as the credit card companies, which in turn notified the issuing banks. Although he said the company had notified law enforcement officials about the incident, he declined to comment on whether a suspect has been identified.

In an e-mail to customers, Bibliofind said, "We have no information at this time to suggest that your credit card has been misused, but we wanted to notify you as a precautionary measure. We have been in contact with the federal law enforcement authorities on this matter, and we have also notified the appropriate credit card companies, so that they can take the necessary steps to protect the interests of any cardholders who may be affected."

The company took its Web site down Friday and removed all credit card information, and customers' addresses and phone numbers, Courtovich said. The site was up and running again yesterday.

"The site will continue to function as a 'matching' service between buyers and sellers," he said. "But now the buyers will complete their transactions directly with the sellers."

Ira Winkler, president of Internet Security Advisors Group in Severna Park, Md., said the reason the hacking went undetected for so long was probably because the hacker was more skilled than Bibliofind's systems administrators.

"A skilled hacker can hide these activities," Winkler said. "I know hackers who have been in systems and the administrators never knew about it." In order to prevent such activities from occurring, he added, companies should train their administrators properly and give them the resources they need to do their jobs.

Related stories:

• Visa offers to help e-merchants meet new security guidelines, March 2, 2001



• Web site upgrades leave some customer data vulnerable, Feb. 22, 2001



• Amazon.com to consolidate European service centers, Feb. 9, 2001