When I first read about this breach I could not help but to think of various Darwin related jokes. I opted not to run with them in the end. A data breach is no laughing matter. The Evolution Store reported that its site had been accessed by an external party with what appears to have been purloined credentials.
On Oct. 9 the company made it known that they had identified their e-commerce systems had been breached. Apparently this was accomplished by an external party with administrative credentials. The first thing that popped into my mind in this case was that the company had been successfully phished by a ne’er do well. Although I have not been able to confirm this was the case. The company had taken steps of hiring an external forensics investigation firm, Stroz Friedberg LLC, who confirmed the breach on Sept. 16, 2014. But, when did the breach first take place? That part is unclear.
What was taken you might ask? Well, the attacker(s) who breached the system had access to names, email addresses, phone numbers, billing/shipping addresses and transaction information of customers. While the company gets some demerit points for having their administrative interface externally accessible they do get a hat tip for changing all of the account passwords as soon as the breach was identified. Well done.
I did have some further questions for the company and they were good enough to provide me some answers. I asked them about the number of customers affected, if it was in fact a phishing attack that got the credentials and how long the breach was in play. Their answer to all of the aforementioned was a variation of “Our forensic investigation is ongoing…” while I understand those answers I had hoped for a little more substance.
The upside of this breach is that The Evolution Store will be providing credit monitoring for their customers via AllClear ID.