Data thieves crack Microsoft’s India store

Another big corporation’s customer database has been breached. This time it’s Microsoft, specifically the software giant’s online retail store serving India.

“As we saw with Sony, Stratfor, Zappos and others, hackers value this information and are selling it on a thriving black market to others focused on identity theft,” says Todd Thiemann, product specialist at encryption company Vormetric. “Companies need to rethink how to value and protect customer data.”

Microsoft took it’s Store India off line earlier today after word of the site’s customer database getting cracked got out. A group referring to itself as Evil Shadow Team took credit in a blogpost written in Mandarin.

Referring to himself as 7zl, Evil Shadow’s self-proclaimed leader told Reuters the data had been found unencrypted on the website. On the blog post, 7zl declared himself to be a “patriotic hacker.”

A Microsoft spokeswoman told Reuters the company is “investigating a limited compromise” of the company’s online store in India. “The store customers have already been sent guidance on the issue and suggested immediate actions,” the spokeswoman said. “We are diligently working to remedy the issue and keep our customers protected.”

Customers exposed


The hackers have also released user name and password combinations that were saved in plain text by Microsoft. “Storing this data in clear text is playing with fire,” says Thiemann.

As with the aftermath of the database compromises of Zappos shoe store and news analysis site, any customers of Microsoft’s India store would be wise to change their account passwords as soon as possible. They should be wary of “phishing” e-mail crafted to lure them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.

It still remains a widespread practice among many online retailers not to encrypt shopper’s personal data, including e-mail and shipping addresses, phone numbers, the last four digits of the payment card numbers and the account passwords. Most big retailers do encrypt payment card numbers — but only because it is required under the Payment Card Industry Data Security Standard.

Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by VISA and Mastercard, because doing so can degrade a website’s performance. What’s more, consumers do not demand it. Visa and Mastercard are only concerned about payment card fraud losses, and have no direct financial stake in monetary and reputation losses consumers must endure due to identity theft, says Todd Feinman, CEO of database security firm Identity Finder.

In a related development, a security researcher using the nicknames — “WeedGrower” or “X-pOSed” — in recent weeks claims to have  cracked into customer databases of AOL, NASA, Hotmail, Myspace, Xbox, USBank, Yahoo, and VISA and leaked leaked sensitive data on most of those websites, according to The Hacker News

WeedGrower also claims to have compromised chip maker giant Intel and obtained sensitive data, including credit card numbers, email addresses and passwords.

“What’s interesting about this alleged breach is credit card data that’s supposedly been obtained should be encrypted under PCI DSS,” said Mark Bower, data protection expert and VP at Voltage Security. “Either it wasn’t encrypted, which would be a violation of PCI,  or they made a common mistake in assuming data-at-rest encryption offers any protection from hackers, like in this case. If the data was encrypted at the data level, using a data-centric approach, then all bets would be off and the hacker would have useless encrypted data, and this would be a non-issue.”

–By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone