Q & A on the breach of eCellar
June 9, 2015
Dear Valued Customers,
We sincerely regret to inform you that we learned of a possible security incident involving credit and debit card data. Your trust in us is our utmost priority, and we are working diligently to resolve this matter.
Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder. To that end, each of our winery clients will be sending out notice of this event to their customers and it is likely that individual consumers may receive a similar notice from multiple wineries.
The intruder gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year. The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway). We have identified and secured the method that was used to breach our platform. Additionally, to prevent a future reoccurrence, we are in the process of converting to a “token” system so that credit card numbers will no longer be stored by the eCellar platform.
We are working with law enforcement and the credit card brands (American Express, MasterCard, Visa and Discover). We encourage all consumers to closely monitor their credit and debit card accounts. Most banks have a zero-liability policy and consumers will not be held responsible for unauthorized card charges, if they are timely reported. But, unlike wine, suspected fraudulent charges do not improve with age; immediately notify your bank if you notice any suspicious activity.
If you need assistance with fraud reporting, we are working with the Identity Theft Resource Center (ITRC) to provide fraud and identity theft counselors to you 24 hours a day / 7 days per week. If you experience any fraudulent activity on your credit card statements, you may contact the ITRC at http://www.idtheftcenter.org, e-mail at firstname.lastname@example.org or phone (888) 400-5530. We have worked tirelessly since 1997 to build a platform that uniquely understands the needs of wineries and wine aficionados. Responding to this criminal act is our top priority, and we promise to do everything we can to regain your confidence in our platform.
As we receive updated information, we will post updates to this website www.ecellar1.com/faq.
Founder & CEO
Missing Link Networks, Inc.
Missing Link Networks is a company in Calistoga, CA that provides a consumer-direct sales and marketing platform, eCellar Systems. Approximately 70 wineries throughout the Northern California wine region use eCellar to manage their inventory and purchases, both in tasting rooms, with wine clubs and online.
Missing Link informed its winery clients of the breach between May 27 and May 31, 2015.
Yes. An unknown hacker gained access to the payment portal accessible through Missing Link’s eCellar platform, and accessed data stored there that included payment data the wineries collect to process orders from their customers.
The payment information for approximately 250,000 customers was stored in the Missing Link payment portal during the time of the attack and so may have been exposed during the incident.
Yes. The credit cards potentially impacted by this event appear to be those swiped or entered manually at the winery, entered online for purchases from winery websites, and those retained for wine club shipments.
The data that may have been exposed is: customer name, credit/debit card number, payment address, and date of birth.
No. Missing Link never stored CVV verification numbers or PIN numbers from any credit or debit cards. So this data was not exposed through this breach.
Based on the investigation to date, it appears that the hacker may have been capable of fraudulently obtaining payment card information stored in the payment portal between April 1 and April 30, 2015. Missing Link, in attempts to improve the security of its systems generally before this incident was fully discovered, closed the attack vector in the payment portal by April 30, 2015.
Credit and debit cards from all four major brands – Visa, MasterCard, American Express, and Discover – were affected. Each of these card companies has been notified of the breach and provided with information for the cards affected.
The security compromise has been contained. Through its investigation, Missing Link has been able to identify and secure the access point vulnerability that the hacker used to gain access to the payment portal. Missing Link has also reported this issue to the U.S. Secret Service and is cooperating in their investigation.
Missing Link is also working with a leading payment industry partner, OpenEdge, tokenizenizing all encrypted credit card information. This means eCellar now stores ‘tokens’ that represent credit cards remotely located in OpenEdge's Level 1 PCI-DSS secure online vault. All winery clients have been successfully tokenized, and no sensitive payment card information is handled or stored by Missing Link Networks, Inc..
Yes. Missing Link and the wineries have always taken the protection of your information very seriously. The identified security vulnerability has been remedied, and Missing Link is working to provide a more secure platform by implementing tokenization so that no payment card information will be stored on the platform.
You should not be responsible for any possible fraudulent charges that are timely reported. If you have not already done so, you should report any suspicious transactions to the financial institution that issued your card in a timely manner.
Step 1: Monitor Your Accounts
We encourage you to closely monitor your credit and debit card accounts and immediately notify your bank if you notice any suspicious activity.
Step 2: Get Help to Navigate Reporting Fraud, If Needed
Missing Link Networks is also working with the Identity Theft Resource Center (ITRC) to provide fraud and identity theft counselors 24 hours a day / 7 days per week. If you experience any fraudulent activity on your credit card statements, you may contact the ITRC at http://www.idtheftcenter.org, e-mail at email@example.com or phone (888) 400-5530.
Step 3: Consider a Credit Report Fraud Alert to Protect Against Fraud, Generally
You may also consider placing a fraud alert on your credit report to help mitigate potential issues. To do this, you will need to contact one of the three credit reporting agencies:
Step 4: A Free Credit Report is Available From All Bureaus
You can also order your credit report for free from all three credit bureaus once a year. You can do this online at www.annualcreditreport.com, or by phone at 1-877-322-8228. Some credit bureaus may permit free credit report access more than once per year, such as, https://www.freecreditreport.com, which is a part of Experian.
Step 5: Lookout for Phishing Attempts
While your email address has not been taken, be on the lookout for phishing schemes. Phishers are regularly impersonating your bank and other entities. Please do not respond to any of this correspondence seeking your personal information thinking it is related to this breach. Our correspondence regarding this incident will not contain any request seeking additional information from you, so if you receive an email or letter appearing to be from us that asks you for any additional information, it is not from us and you should not respond. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank, or other institutions. We would never ask you for sensitive information via email.
For residents of Hawaii, Michigan, Missouri, Virginia, Vermont, and North Carolina:
It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.
For residents of Illinois, Iowa, Maryland, Missouri, North Carolina, Oregon, and West Virginia:
We are required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report by contacting any one or more of the following national consumer reporting agencies:
P.O. Box 740241
Atlanta, Georgia 30374
P.O. Box 2104
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022
|Maryland Office of the Attorney General Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
|North Carolina Office of the Attorney General Consumer Protection Division
9001 Mail Service Center
Raleigh, NC 27699-9001
|Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580