I have been collecting wine for over a decade now. And by collecting I mean that I would buy a bunch and it would not survive to see the end of the year. A short term collector if you will. I had always fancied the idea that one day I would own a small vineyard and enjoy my twilight years working the vines. Then it dawned on me that that is a lot of hard work. Nuts to that idea. I’ll just stick to drinking the wine.
What struck me about owning a vineyard is that there is a lot of other aspects to the business that a wine maker might not actually have the wherewithal to handle. First and foremost that springs to mind is the IT aspect of running a business like that. Wine makers are good at what they know best and that is making wine. That is their training and their passion. So, what is a proprietor to do? Enter the third party IT supplier. They will show up and provide all manner of services to get you up and running. Everything from a website to a email campaigns to backend systems.
But, what about security? We’re looking at a niche offering with regards to wine makers. These vineyard owners are a group of people who are specialized in their craft and not necessarily conversant on the finer points of data security. Well, sadly it seems that several of these wine makers are now in the unenviable position of having to disclose that they have suffered a data breach through their web platform which exposed the information of their customers. The unknown interloper apparently had access to credit card information for a period from April 1st for the 30th of 2015.
Suddenly that wine is starting to taste a little like ash in the mouth. No one enjoys plonk and no, I don’t mean the wine but rather, the situation they’ve landed in.
So, what was the common denominator in this case? Seems that they all shared the same IT service provider. A company called Missing Link Networks or as their website labels them, eCellar. This is a company that specializes in selling packages to vineyards so that they don’t have to worry about trying to sustain their own IT infrastructure. Nothing wrong with that, except when it all goes badly.
Some of the affected companies as a result of the Missing Link breach are Clif Family and Turley Wine Cellars. Not clear at the time of this writing how many other companies may be affected.
From the Missing Link/eCellar notification:
The intruder gained access to customer names, credit/debit card numbers, the related billing addresses, and any dates of birth in our system during the window of April 1st through 30th this year. The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers, or PIN numbers (data which we would typically not collect anyway). We have identified and secured the method that was used to breach our platform. Additionally, to prevent a future reoccurrence, we are in the process of converting to a “token” system so that credit card numbers will no longer be stored by the eCellar platform.
The Missing Link/eCellar data breach is somewhat reminiscent of the multiple retail data breaches that have been in the news such as Home Depot and Target but, a different attack vector. In this case there was approximately 250,000 customers affected as a result of the breach. This also affects customers who purchased wine in store as well by virtue of all the data being stored in the same repository. Short story, web security was lacking in this case. All of the affected parties are now taking the step, mandated by US law, to ensure that they’re providing their affected customers with credit monitoring for a year.
The IT provider is working with law enforcement as well as with the card brands to get to the bottom of this issue.
When all is said and done I did enjoy this one line from the breach notification, “But, unlike wine, suspected fraudulent charges do not improve with age; immediately notify your bank if you notice any suspicious activity.” Amusing and yet, sage advice. Your digital supply chain is your exposed flank. As a matter of fact, I will be giving a talk on digital supply chain security issues at CircleCityCon in Indianapolis this morning.
Hopefully, this data breach will be a learning opportunity for the vineyards and Missing Link. Do you have have a similar type of arrangement with an outsourced provider? Ask them about their approach to security. You don’t want to discover the hard way that security was the missing link.