Hosting company and domain registrar Network Solutions LLC said malware planted on Web servers compromised more than a half million credit card accounts belonging to customers of its e-commerce merchants.
Herndon, Va.-based Network Solutions disclosed the data security breach late Friday. The company said it discovered unauthorized code on servers supporting some of its e-commerce merchants' websites and determined that it may have been used to steal transaction data for about 4,343 of its merchant websites to outside servers.
Outside forensic experts informed Network Solutions on July 13 that the stolen data included credit card information. Approximately 573,928 cardholders were affected by the breach, which affected transactions between March 12 and June 8 of this year, the company said.
"At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants' customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer," the company said.
In a blog post Sunday, Network Solutions emphasized that the incident affects only its e-commerce customers. Customers of its other products, including domains, email accounts and hosting were not impacted.
The company is working with law enforcement to investigate the case and has arranged with credit reporting agency TransUnion LLC to work on behalf of its merchants to contact affected customers. Network Solutions set up a website about the security breach.
The company touted in its message to customers that it was PCI compliant, despite the data security breach.
"Assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said in its blog post. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."
But in a prepared statement, Bob Russo, general manager of the PCI Security Standards Council urged the company to be more cautious about its statements regarding PCI compliance until an investigation is completed.
"Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status," Russo said. "Friday's announcement of a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures. Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices."
Amichai Shulman, chief technology officer of database security vendor Imperva said the breach highlights the fundamental security risk of cloud computing. The databases and the servers used by hosting providers become attractive to cybercriminals as more companies turn to cloud-based services to host data, Shulman said in a statement.
"The attackers here aimed on the big prize – the servers," Shulman said. "Instead of dealing with a website here and there, once the hackers broke in, all the sites were open to them. The lesson: once you've penetrated the cloud, you've got an easy path to the important, underlying data."