They sent a legal notice to cover their butt. Nothing on the facebook page or email from them...
Bulk Reef Supply Security Breach
- Thread starter Jone
- Start date
They sent a legal notice to cover their butt. Nothing on the facebook page or email from them...
Yep,,CYA..that's the mindset today...No accountabiltiy anymore in this country...
Funny thing is that this been BRS knowledge this was going on for 6 months but only came public with this security breach topic after this long of a time span but anyone can assume that the Big Shots know their corporate year end numbers/liabilties are before going public.. ..
Funny thing is that this been BRS knowledge this was going on for 6 months but only came public with this security breach topic after this long of a time span but anyone can assume that the Big Shots know their corporate year end numbers/liabilties are before going public.. ..
ganjero
saiperchémibatteilcorazon
Probably not as big and flashy for your taste but they do have something on their main page (see "Security Update" on the top left)http://www.bulkreefsupply.com/security-update
MondoBongo
Obligate Feeder Obsessed
just a clarification here, are you saying that BRS knew about the breach months ago, but failed to disclose? because that is an extremely serious accusation.
do you have any proof to substantiate this?
generally with these kinds of data breaches, they are silent. many times they're not discovered until a subset of people who have had their information stolen can be used to connect the dots to the point of compromise.
this isn't a brick and mortar store, so there aren't big sirens and flashing lights that go off when someone smashes a window, detecting these kinds of intrusions can be as much art as it is science.
i would caution you to refrain from assumption in this scenario, as is not productive. however if you have proof that this is the case, please do share.
6 month period for a breach is a pretty long time. And instead of sending out a cautionary email right away and posting the info all over the place, they notified via snail mail... I got fraud of 3k!
No not at all,,, I want to rescind what I wrote prior ..It really is bad that these situations happen but is there anything the card companies can do to stop this?? Its a topic that reoccurs to card companies, people and retail vendors..Especially everyone involved that gets caught up in this aggrivating mess it becomes..How does somebody get this private info,,if their not supposed to have it and plus have balls to do illegal activity like this??
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....
Just think of the time and trouble spent by card companies and vendors that have to do damage control in these situations or implement safety standards to these safety privacy issues on a daily business basis....
Last edited:
MondoBongo
Obligate Feeder Obsessed
you want to notify via real mail for things like this. you assume that electronic communications have been compromised and send instructions via hard copy as a security measure to help prevent future social engineering attacks.
they probably did notify as soon as they were able to. 6 months sounds like a long time for a data breach, but it's not really.
it all depends on the nature of this breach, how they got in, where they got it, what they were doing while there. this isn't the same thing as showing up to your business in the morning and seeing that the door has been forced open and the cash register is gone. it is super easy to hide these kinds of intrusions. unless you get lucky, or have a superhuman sysop watching your network, you generally only find about them long after they've happened.
i would be willing to bet that the system you're on right now has at least half a dozen exploits that could allow an attacker invisible access to you without you ever knowing it happened.
it's scary, but also hilarious, how insecure computers and networks are.
MondoBongo
Obligate Feeder Obsessed
it is super frustrating. it leaves you feeling absolutely powerless too, which may be the worst part. faceless attackers made off with large portions of your online identity and now have taken over something almost sacred in your life: your money.
i myself have been compromised several times, all in different ways, all from different places. some of the breaches were clear negligence on the part of the entity holding my records, others were inadvertent compromises due to human error, software bugs, etc...
it sucks. totally sucks. no two ways about it.
user soulpatch has posted some really interesting points earlier in this thread, it sounds like there will be enhanced security standards coming to US cards soon, not soon enough, but this is always a cat and mouse game.
as long as there is money to be made, the arms race between white hats and black hats will continue.
locks only ever keep out honest people.
http://thehackernews.com/2014/02/Magento-vulnerability-Administrative-User_13.html
please read before destroying BRS.
please read before destroying BRS.
rsundstrom
New member
When I received a letter from BRS explaining they were hacked, and PII (Personally Identifiable Information) was stolen, I like everyone else, was upset at the news.
I wrote a long email to BRS support outlining my concerns, posing some questions, and generally giving my professional opinion of the situation. (I work in the IT industry, and frequently deploy and maintain e-commerce solutions.) My letter was not an enraged flame, but it was in no way laudatory, and I believe I fairly delineated the consequences to businesses and consumers from such an incident, my view of a business' responsibility after such an event, and equally importantly responsibility before such and event, and some suggestions for their way forward. (I shared the message with my wife, and she gave me one of those looks and said "I would not like to receive an angry letter from you." I wasn't being angry, but I get her point.)
A few hours later, I received a call from Ryan, and we had a long conversation about the situation. I respect his initiative in addressing the damage head-on and in a personal, as well as professional and expert, manner. I believed before, and I believe now, this is a small company with integrity as a core tenet. I can't reveal all I was able to glean from the conversation, but will say that they have well and truly made every practical effort to rectify the situation in the best manner available. (Know that doing so is an extremely expensive and painful proposition for them, and as a small company with whom I like doing business, I hope their balance sheet can survive the hit. As much as we as customers may have lost potentially and in fact, BRS has lost far more.)
I empathize with everyone involved in this: myself, other customers, and BRS too. I do not sympathize, however. This sort of attack, while prevalent (anyone a Target customer?), is not unpreventable. I still maintain the best time to close the barn door, is before the horses escape. To mix metaphors, that's water under the bridge now. In talking with Ryan, I am convinced they have learned this very painful lesson. Right now, I have no doubt that one of the safest places to do business on-line is the BRS web site.
"Maybe they will make a youtube video about it....."
I complained that the time it took to communicate the issue was too long. Ryan, I could tell, was as frustrated as we all on this. I agree with him there is no perfect way to communicate, and in balance they did as good as can really be expected. The above quote was written by another poster, in humor, but Ryan shared that was literally his first impulse and wanted to do so immediately. The IT experts they brought in shot the idea down in no uncertain terms, and were right to do so. Immediately after the discovery, there were not enough facts in evidence to craft a coherent message, let alone an effective action plan for the business or consumers. Until they knew the nature and reach of the intrusion and theft, what was the message to be? "We were hacked. Data was stolen." Painful, but better to wait and have a clear message, targeted at the affected parties rather than a vague, ominous broadside aimed at everyone. (If I, for one, want the latter, I'll watch Fox news.)
Nobody will disagree this was an unfortunate situation. Bad things happen to good people. Everyone victimized here, including BRS, are good people IMHO.
I will continue doing business with BRS. Their business model and delivered value is still attractive to me. I will, as will we all, come away sadder but wiser knowing more than we care to about the dark side of doing business on-line. The suggestion to use PayPal as a payment processor backed by a credit card as the payment instrument is a good one. Secure payment processing is not BRS' core competence, it is PayPal's raison e'etre, and we all should be taking advantage of that as a prudent approach to e-commerce.
I wrote a long email to BRS support outlining my concerns, posing some questions, and generally giving my professional opinion of the situation. (I work in the IT industry, and frequently deploy and maintain e-commerce solutions.) My letter was not an enraged flame, but it was in no way laudatory, and I believe I fairly delineated the consequences to businesses and consumers from such an incident, my view of a business' responsibility after such an event, and equally importantly responsibility before such and event, and some suggestions for their way forward. (I shared the message with my wife, and she gave me one of those looks and said "I would not like to receive an angry letter from you." I wasn't being angry, but I get her point.)
A few hours later, I received a call from Ryan, and we had a long conversation about the situation. I respect his initiative in addressing the damage head-on and in a personal, as well as professional and expert, manner. I believed before, and I believe now, this is a small company with integrity as a core tenet. I can't reveal all I was able to glean from the conversation, but will say that they have well and truly made every practical effort to rectify the situation in the best manner available. (Know that doing so is an extremely expensive and painful proposition for them, and as a small company with whom I like doing business, I hope their balance sheet can survive the hit. As much as we as customers may have lost potentially and in fact, BRS has lost far more.)
I empathize with everyone involved in this: myself, other customers, and BRS too. I do not sympathize, however. This sort of attack, while prevalent (anyone a Target customer?), is not unpreventable. I still maintain the best time to close the barn door, is before the horses escape. To mix metaphors, that's water under the bridge now. In talking with Ryan, I am convinced they have learned this very painful lesson. Right now, I have no doubt that one of the safest places to do business on-line is the BRS web site.
"Maybe they will make a youtube video about it....."
I complained that the time it took to communicate the issue was too long. Ryan, I could tell, was as frustrated as we all on this. I agree with him there is no perfect way to communicate, and in balance they did as good as can really be expected. The above quote was written by another poster, in humor, but Ryan shared that was literally his first impulse and wanted to do so immediately. The IT experts they brought in shot the idea down in no uncertain terms, and were right to do so. Immediately after the discovery, there were not enough facts in evidence to craft a coherent message, let alone an effective action plan for the business or consumers. Until they knew the nature and reach of the intrusion and theft, what was the message to be? "We were hacked. Data was stolen." Painful, but better to wait and have a clear message, targeted at the affected parties rather than a vague, ominous broadside aimed at everyone. (If I, for one, want the latter, I'll watch Fox news.)
Nobody will disagree this was an unfortunate situation. Bad things happen to good people. Everyone victimized here, including BRS, are good people IMHO.
I will continue doing business with BRS. Their business model and delivered value is still attractive to me. I will, as will we all, come away sadder but wiser knowing more than we care to about the dark side of doing business on-line. The suggestion to use PayPal as a payment processor backed by a credit card as the payment instrument is a good one. Secure payment processing is not BRS' core competence, it is PayPal's raison e'etre, and we all should be taking advantage of that as a prudent approach to e-commerce.
TruReef
New member
Im in your boat too, S happens, get over it and live on.......& yes I was also compromised and sent a new card...
GilliganReef
New member
I use to work Fraud for Target. I was able to stop a lady in NY. Who used 8different people CCs to purchase txt G/C's. Where she was in a box store trying to combine the cards onto one G/C. So Target wouldnt be able to trace her activity. I was lucky enough to start tracing 3 out of 8 being used at that time in a store. Had the other 5 cancelled and called the store to have that g/c voided. Its always fun calling a Susan or Lisa who has a really deep voice, Or catch these morons in the act. Red flag are if it is a URL from Eastern Europe or West Afric a. Saddest is when you call an old lady asking her if she purchased a $150 G/C for someone she never heard of.
rsundstrom
New member
I was behind this old guy at an Walmart ATM who was working the machine for a good 15 minutes before my curiosity and impatience got the best of me and I stepped up to look over his shoulder to see what on earth was taking so long. He had a handful of cards that he was dutifully trying, one by one, to get money from the machine - without much luck I might add.
I kindly suggested he steal higher quality plastic, or at least learn how to steal PINs as well so the process would not take so long, and the rest of us could get on with our day.
I kindly suggested he steal higher quality plastic, or at least learn how to steal PINs as well so the process would not take so long, and the rest of us could get on with our day.
Erasmus_Crowley
New member
I know this happened a while ago, but two days ago I got the first of several strange emails. Tonight I was notified via email that someone created an account at McAfee security and paid for it with my credit card. I immediately cancelled that card before any other damage could be done, but I have since tracked down several other accounts created using my personal information and credit card.
These accounts have not been used by the thief and they are all products that auto-renew each month and that are very difficult to cancel. My best guess is that someone is currently running a bot to sign up to these services with the information in the stolen BulkReefSupply data just to be a malicious jerk.
I just wanted to give a heads up to anyone else that hasn't cancelled their cards yet. Be very vigilant and cancel your CC at the first hint of anything you don't recognize.
These accounts have not been used by the thief and they are all products that auto-renew each month and that are very difficult to cancel. My best guess is that someone is currently running a bot to sign up to these services with the information in the stolen BulkReefSupply data just to be a malicious jerk.
I just wanted to give a heads up to anyone else that hasn't cancelled their cards yet. Be very vigilant and cancel your CC at the first hint of anything you don't recognize.
jminick2
New member
Just like to let everyone know, in good faith I ordered from BRS (AFTER the big incident) I received a letter today that says they have identified more small affected files that were not previously included in the scope of earlier announcement. Potentially affected customers is anyone who logged into the website between Feb 22 and march 16. Apparently this is an on going issue with them. I used paypal so i'm not that worried but be warned.
rfgonzo
New member
Great, hopefully it doesn't happen again. :mad2:
oseymour
Euphyllia Addict
I got another letter yesterday...Only it didn't have my name on it. It was my address :mad2:.
I always use paypal so I'm not worried but jeeze.
jamie1981
New member
Got another one today with my address also, but the first and last name was not mine this time eiather.
I don't really understand why some people get so upset over this. It happens, theives will always be one step ahead.
Similar threads
