(707) 942-9700 | info@ecellar1.com

eCellar FAQ

Q & A on the breach of eCellar

June 9, 2015

Dear Valued Customers,

We sincerely regret to inform you that we learned of a possible security incident involving credit and debit card data. Your trust in us is our utmost priority, and we are working diligently to resolve this matter.

Beginning on May 27, 2015, we began notifying our winery customers that eCellar Systems, our consumer-direct sales platform, had been breached during the month of April, 2015 by an unknown intruder. To that end, each of our winery clients will be sending out notice of this event to their customers and it is likely that individual consumers may receive a similar notice from multiple wineries.

The intruder gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year. The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway). We have identified and secured the method that was used to breach our platform. Additionally, to prevent a future reoccurrence, we are in the process of converting to a “token” system so that credit card numbers will no longer be stored by the eCellar platform.

We are working with law enforcement and the credit card brands (American Express, MasterCard, Visa and Discover). We encourage all consumers to closely monitor their credit and debit card accounts. Most banks have a zero-liability policy and consumers will not be held responsible for unauthorized card charges, if they are timely reported. But, unlike wine, suspected fraudulent charges do not improve with age; immediately notify your bank if you notice any suspicious activity.

If you need assistance with fraud reporting, we are working with the Identity Theft Resource Center (ITRC) to provide fraud and identity theft counselors to you 24 hours a day / 7 days per week. If you experience any fraudulent activity on your credit card statements, you may contact the ITRC at http://www.idtheftcenter.org, e-mail at itrc@idtheftcenter.org or phone (888) 400-5530. We have worked tirelessly since 1997 to build a platform that uniquely understands the needs of wineries and wine aficionados. Responding to this criminal act is our top priority, and we promise to do everything we can to regain your confidence in our platform.

As we receive updated information, we will post updates to this website www.ecellar1.com/faq.

Sincerely,

Paul Thienes
Founder & CEO
Missing Link Networks, Inc.


Missing Link Networks
Frequent Asked Questions for Consumers Regarding the Data Breach Incident

> Who is Missing Link Networks?

Missing Link Networks is a company in Calistoga, CA that provides a consumer-direct sales and marketing platform, eCellar Systems. Approximately 70 wineries throughout the Northern California wine region use eCellar to manage their inventory and purchases, both in tasting rooms, with wine clubs and online.

> When did Missing Link Networks inform the wineries about the data breach?

Missing Link informed its winery clients of the breach between May 27 and May 31, 2015.

> Were the wineries a victim of a data breach?

Yes. An unknown hacker gained access to the payment portal accessible through Missing Link’s eCellar platform, and accessed data stored there that included payment data the wineries collect to process orders from their customers.

> How many customers were affected?

The payment information for approximately 250,000 customers was stored in the Missing Link payment portal during the time of the attack and so may have been exposed during the incident.

> Does the breach affect customers who purchased wine in-person at a winery?

Yes. The credit cards potentially impacted by this event appear to be those swiped or entered manually at the winery, entered online for purchases from winery websites, and those retained for wine club shipments.

> What categories of information were exposed?

The data that may have been exposed is: customer name, credit/debit card number, payment address, and date of birth.

> Was CVV or PIN data taken?

No. Missing Link never stored CVV verification numbers or PIN numbers from any credit or debit cards. So this data was not exposed through this breach.

> During what time period was payment card data exposed?

Based on the investigation to date, it appears that the hacker may have been capable of fraudulently obtaining payment card information stored in the payment portal between April 1 and April 30, 2015. Missing Link, in attempts to improve the security of its systems generally before this incident was fully discovered, closed the attack vector in the payment portal by April 30, 2015.

> What types of cards were affected?

Credit and debit cards from all four major brands – Visa, MasterCard, American Express, and Discover – were affected. Each of these card companies has been notified of the breach and provided with information for the cards affected.

> What has been done to correct this issue?

The security compromise has been contained. Through its investigation, Missing Link has been able to identify and secure the access point vulnerability that the hacker used to gain access to the payment portal. Missing Link has also reported this issue to the U.S. Secret Service and is cooperating in their investigation.

Missing Link is also working with a leading payment industry partner, OpenEdge, tokenizenizing all encrypted credit card information. This means eCellar now stores ‘tokens’ that represent credit cards remotely located in OpenEdge's Level 1 PCI-DSS secure online vault. All winery clients have been successfully tokenized, and no sensitive payment card information is handled or stored by Missing Link Networks, Inc..

> Is it safe for me to use my payment card at the wineries now?

Yes. Missing Link and the wineries have always taken the protection of your information very seriously. The identified security vulnerability has been remedied, and Missing Link is working to provide a more secure platform by implementing tokenization so that no payment card information will be stored on the platform.

> Will I be liable for fraudulent charges?

You should not be responsible for any possible fraudulent charges that are timely reported. If you have not already done so, you should report any suspicious transactions to the financial institution that issued your card in a timely manner.

> What steps can I take to protect myself?

Step 1: Monitor Your Accounts

We encourage you to closely monitor your credit and debit card accounts and immediately notify your bank if you notice any suspicious activity.

Step 2: Get Help to Navigate Reporting Fraud, If Needed

Missing Link Networks is also working with the Identity Theft Resource Center (ITRC) to provide fraud and identity theft counselors 24 hours a day / 7 days per week. If you experience any fraudulent activity on your credit card statements, you may contact the ITRC at http://www.idtheftcenter.org, e-mail at itrc@idtheftcenter.org or phone (888) 400-5530.

Step 3: Consider a Credit Report Fraud Alert to Protect Against Fraud, Generally

You may also consider placing a fraud alert on your credit report to help mitigate potential issues. To do this, you will need to contact one of the three credit reporting agencies:

Equifax: 1.800.525.6285
Experian: 1.888.397.3742
TransUnion: 1.800.680.7289

Step 4: A Free Credit Report is Available From All Bureaus

You can also order your credit report for free from all three credit bureaus once a year. You can do this online at www.annualcreditreport.com, or by phone at 1-877-322-8228. Some credit bureaus may permit free credit report access more than once per year, such as, https://www.freecreditreport.com, which is a part of Experian.

Step 5: Lookout for Phishing Attempts

While your email address has not been taken, be on the lookout for phishing schemes. Phishers are regularly impersonating your bank and other entities. Please do not respond to any of this correspondence seeking your personal information thinking it is related to this breach. Our correspondence regarding this incident will not contain any request seeking additional information from you, so if you receive an email or letter appearing to be from us that asks you for any additional information, it is not from us and you should not respond. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank, or other institutions. We would never ask you for sensitive information via email.

> What else might consumers need to know?

For residents of Hawaii, Michigan, Missouri, Virginia, Vermont, and North Carolina:
It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.

For residents of Illinois, Iowa, Maryland, Missouri, North Carolina, Oregon, and West Virginia:
We are required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report by contacting any one or more of the following national consumer reporting agencies:

Equifax

P.O. Box 740241
Atlanta, Georgia 30374
1-800-685-1111
www.equifax.com
Experian

P.O. Box 2104
Allen, TX 75013
1-888-397-3742
www.experian.com
TransUnion

P.O. Box 2000
Chester, PA 19022
1-800-888-4213
www.transunion.com

For residents of Iowa:
State law advises you to report any suspected identity theft to law enforcement or to the Attorney General.

For residents of Oregon:
State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission.

For residents of Maryland, Illinois, and North Carolina:
You can obtain information from the Maryland and North Carolina Offices of the Attorneys General and the Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft.

Maryland Office of the Attorney General Consumer Protection Division

200 St. Paul Place
Baltimore, MD 21202
1-888-743-0023
www.oag.state.md.us
North Carolina Office of the Attorney General Consumer Protection Division

9001 Mail Service Center
Raleigh, NC 27699-9001
1-877-566-7226
www.ncdoj.com
Federal Trade Commission, Consumer Response Center

600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
www.ftc.gov/bcp/edu/microsites/idtheft/
For residents of Massachusetts:
It is required by state law that you are informed of your right to obtain a police report if you are a victim of identity theft.

©2017 Missing Link Networks     801 Washington Street, Suite C, Calistoga, CA 94515     info@missinglink.net