Missing Link Networks data breach victims come forward

Just last week I was waxing poetic over the Missing Link Networks/eCellar data breach. At the time the breach was made known I was of a mind that this would just be a tip of the iceberg when the wine makers Clif Family and Turley announced on June 10th that they had in fact been affected as a result of the Missing Link breach.

Missing Link Networks/eCellar is a company that specializes in selling packages to vineyards so that they don’t have to worry about trying to sustain their own IT infrastructure.

At the time I mused about there being more vineyards to announce I was not aware of how right that I was. At least 21 more wine makers announced this past Friday that they too had fallen to the miscreants who had illegally breached the defenses of their third party provider.

Here is a list of the affected wine makers who cam forward last week, 

Summer Estates Spring Mountain Vineyard Silverado Vineyards Signorello Estate Round Pond Estates Rhys Vineyards Repris Vineyards Pride Mountain Vineyards Palmaz Vineyards Outpost Vineyards Martinelli Vineyards Larkmead Vineyards Vinter and Grower Jessup Cellars Heitz Wine Cellars Gemstone Vineyards Flora Springs Winery & Vineyards Charles Krug Winery (C. Mondavi & Family) Corison Winery Cain Vineyard and Winery Peter Michael Winery Rombauer Vineyards Inc.

That is quite a long list of unhappy campers to say the least. In several of the breach notification letters I noticed that the vineyards were suggesting that it would be a good idea for customers to log into their online account and change their password. The difficulty that I have with this is that they should actually be forcing customers to change their passwords. While asking nicely is well intentioned I think that the customers would be better served if their password resets were mandatory.

The other thing that I’m wondering about is the customers that bought products at the vineyards themselves. Resetting the passwords will not help them as they might not have an account on the websites. The data for both the point of sale systems as well as the online purchases were stored in the same database. 

I found it interesting that a presentation that discussed PCI compliance referencing Missing Link had been removed from a website that was dealing with testimonials for retailers. 

All of the affected wineries are offering credit monitoring for their customers as specified by law. Each one of the notification letters said something to the effect of “To date, we have not received any customer notifications regarding fraudulent activity. Missing Link Networks however, has taken aggressive action to upgrade its security, including making a sizable investment in system enhancements.” This struck me that the company had provided something akin to a template for their customers to send out.