Hobby Search was hacked, Check your Credit card now!

——Regarding a security breach and stolen customer data——

To Hobby Search customers:

We are writing to let you know of a hacker or hackers that penetrated our computer system and accessed customer data including credit card information.

At the time of writing, we do not know of any of this information being available publicly.

It is important to us that you, the customer, do not experience any monetary damages because of this incident, and have provided the information of all the cards that may have been involved in this incident to each of the credit card companies so that they may monitor the activity on these cards.

If you have any concerns about the security of your card, please contact the card company

(via the number on the back of your credit card).

Also, although we have switched to a more secure credit card transaction system that only stores the last four digits of your card on our databases on July 7, 2010, we have disabled credit card payments indefinitely.

The credit cards involved in this incident are those used in orders prior to July 7, 2010 (a maximum of 23,526 cards)

– Credit card numbers, expiration dates, cardholder names

We do not store personal verification passwords or security codes on our databases, so these have not been accessed.

Again, we have switched to a more secure credit transaction system on July 7 that only stored the last four digits of those cards (3,794 cards) and cannot be abused by a third party.

We are deeply sorry for any inconvenience or concern that this incident may have caused.

<A timeline of events>

October 6 – A system administrator found traces of attacks from Korea and began investigating immediately. That night, we contacted an external security firm to investigate.

October 7 – The external examiners began investigations in the morning. We shut off our systems for emergency maintenance, reinstalled all server operating systems and software, re-examined security settings, and isolated the server.

Logs indicated that customer data had been sent out from our server to the address of an institution in Korea.

We contacted that institution by phone and email about this incident and confirmed that the data had been deleted. We believe that they were used as a proxy.

October 8 – We revised program, network, firewall, and client machine security and implemented an intrusion detection system.

October 12 – We contacted the credit card transaction handler and began discussions about the course of action.

October 20 – The external investigators concluded their investigations and determined which and how much data had been accessed.

October 28 – With the results of the investigation and cooperation of credit card companies, we are ready to handle customer correspondence and have sent out email notifications to the customers that may have been affected.

We deeply regret that this incident has occured, and are continuously examining the security of our systems. We believe that the root of this problem was the lack of security awareness among each and every employee and are making sure this should not happen again.

We will work hard to maintain your confidence in Hobby Search and hope to see your continued patronage.

28 October 2010
Toshiyuki Suzuki
President
Hobby Search

<Contacts regarding this inciden>
Hobby Search Co, Ltd.
Telephone: 81-3-5833-3533 (International)
Fax: 81-3-5833-3534(International)
Hours: 10AM-9PM (10AM-6PM on weekends and holidays) 10/28 – 11/07
10AM-12PM, 1PM-6PM Mon-Sat except on weeks 2 and 3 of the month
11/8 onwards
(Hours listed are Japan time, GMT+9)
E-mail： hs-support@1999.co.jp

——Customer Q&A——

* Why did this happen?
Although we strive to keep our site and systems secure, there was a security hole the attackers were able to exploit.

* What information was stolen?
Credit card numbers, cardholder names, and expiration dates.
However, personal verification passwords and CVV codes are not stored on our databases and have not been compromised.
Other personal information such as names, addresses, and emails have not been compromised either.

* Is the site secure?
Yes. We have revised our networks, site, and systems under the direction of security experts. We have also suspended credit card transactions indefinitely.

* What did you do to improve the security of your site?
– deleted all credit card information from our databases
– suspended credit card transactions
– checked over all programs to confirm security
– revised firewall rules to make intrusion more difficult
– restructured our system network for higher security
– changed all passwords and imposed stricter regulations
– hardened the security on all server and client machines
– heightened security awareness among all employees

* Why did it take so long to announce this?
We apologize for the delay in making this announcement.
When we discovered a possible breach of security, we began investigating the issue and whether credit card information was stolen.
Once we confirmed that, we contacted credit card companies.
We coordinated with them and concluded that both parties would be ready to handle this issue on October 28, 2010.

<Regarding Credit Cards>

* How do I replace my credit card?
Please contact your credit card issuer for further information.
The number is located on the back of your credit card.

* How do I know if my credit card number has been stolen?
Please check your billing statements for any suspicious charges and contact your credit card company. For extra security, fraud protection programs are available for most credit cards.

* What do I do if my number has been stolen?
We sincerely regret the inconveniences this incident has caused.
If you see any suspicious charges on your credit statements, please call the number on the back of your card. From there, you can confirm if it is a fraudulent charge and replace your card if necessary.

* Should I replace my credit card?
Should your card be used for a fraudulent transaction, you should be able to cancel the charge. Please contact your credit card company for more information. Most vendors offer fraud alerts you can opt-in for. If you are unsure, please ask your card company.

* Can you replace my card for me?
We are unable to do so because only the card holder is able to replace a credit card.

* I pay my bills using this card. What should I do?
If you replace your card, the payments will no longer automatically be deducted.
Please update your billing information after you replace the card. We apologize for the inconvenience.

* When will you be accepting credit card payments again?
We do not have an estimate at the moment. We are still strengthening our security under the advisory of security experts. We will make an official announcement if we begin accepting credit card payments again.

* What should I do about existing preorders I chose to pay for by credit card?
Existing credit card orders will be processed normally. These orders will go through the newer, secure transaction system in which your credit card numbers will not be stored on our databases.

However, should the transaction fail, these orders will be switched to be paid for by PayPal and we will notify you of this by email.

<Miscellaneous>

* Have you caught the attackers?
We are currently investigating and contacting relevant parties.

* Have you contacted the police?
Yes, we have contacted the authorities.

<Contacts regarding this inciden>

Hobby Search Co, Ltd.
Telephone: 81-3-5833-3533 (International)
Fax: 81-3-5833-3534(International)
Hours: 10AM-9PM (10AM-6PM on weekends and holidays) 10/28 – 11/07
10AM-12PM, 1PM-6PM Mon-Sat except on weeks 2 and 3 of the month
11/8 onwards
(Hours listed are Japan time, GMT+9)
E-mail： hs-support@1999.co.jp