Online military gear supplier slow to notify about credit card breach

LulzSec bragged in a pastebin post that it hacked into the Special Forces Gear website and stole 8,000 credit card numbers and 14,000 passwords from the site a few months ago.

LulzSec said that the data were encrypted but it was able to steal the encryption keys, break the encryption, and recover credit card numbers, passwords, and expiration dates.

This was the same group that recently hacked into the Stratfor defense consulting firm site and stole 4,000 credit card numbers and other personal information.

Special Forces Gear founder Dave Thomas confirmed with a number of media outlets that the company’s web servers were breached and hackers had stolen encrypted credit card information. He admitted that the breach happened in August, yet Thomas did not indicate whether those affected by the breach were notified. A copy of a Dec. 15 email was posted on Twitter purportedly from Thomas advising customers that a credit card breach had occurred. If genuine, that would entail a four-month delay in notification.

Thomas said that after the breach, "we completely rebuilt our web site and hired third-party consultants to help us shore up Web site security." He said that most of the credit cards had expired and that there was “no evidence” that the credit card information was misused “at this time.”

What’s hot on Infosecurity Magazine?