Sourcebooks suffers credit card data breach

It wouldn’t be a Friday afternoon without a company sharing that it had suffered a data breach. Normally I’m the first person to be sympathetic in this type of situation, but I have seen enough of these Friday disclosures that I’m starting to call bull spit on these.

Today’s disclosure comes from online book seller, Sourcebooks. This is a company that was founded by Dominique Raccah in 1987 and has grown steadily since. Unfortunately it does not appear that their information security had managed to keep current.

It appears that this is a case of web security failing and another shopping cart getting compromised by unknown attackers. If memory serves this is the third large one in a week of this type. I should go back and see if there is a common platform. But, that is for another article.

In this case it appears that attackers had taken control of the shopping cart on the and websites from April 16, 2014 until June 19, 2014. Attackers were able to capture credit card numbers, expiration dates, CVV2, full billing information and even passwords.

Why did this take so long to be disclosed? If I was a customer of theirs I would be rather annoyed. Four months later? I understand that an investigation is underway, but promptly disclosing to customers would have been a capital idea. But, therein lies the rub. Did they know in June?

One thing that stood out in Sourcebooks disclosure was this line "Implemented new security measures in accordance with the Payment Card Industry (PCI) data security standards.” Um, pardon? Is the inference to be drawn here that they were not PCI compliant? This isn’t a panacea by any stretch (stop giggling), but there are fines that could possibly be applied. The next line that grabbed my attention was "Revised our internal processes in order to be able to identify any potential issues as quickly as possible.” This tells me that the company didn’t know anything about the issue until compromised customers started to lodge complaints. But, that’s a best guess.

As with any incident like this in US the customers are not liable for charges that result from a security failure like this one.

So there are some kudos to be applied. They have taken the steps to hire a forensics firm to tear apart what actually transpired. For customers of this site, they have taken steps to provide credit monitoring.

Set up a toll-free information line for any customers with questions. For further information and assistance, please contact us at 844-810-1155 between 8:30 a.m. – 5:30 p.m. CST daily, or visit

Hopefully they have learned from this incident and that its customers will not have to contend with this type of thing again.

(Image used under CC from shutterhacks)


Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)