Hackers swipe seed company's customers' data

March 3, 2007

By Doug Harlow, Staff Writer


The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said Friday.

Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February.

"This is a violation, this is a criminal act and it's on us," Harrington said. "We are a victim here; it wasn't like we had credit card information ready for the taking."

He said the FBI was immediately notified and the case is under investigation.

Todd Difede of the FBI's Portland office said it is not bureau practice to discuss criminal cases before the cases are adjudicated.

Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently, Harrington said.

He said the last known Internet Service Provider to register action involving the Johnny's case was somewhere in the United Kingdom.

Harrington said the security system was hacked in a very sophisticated, methodical way.

"Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site," Harrington said.

The company's "server farm" in Kentucky was the target, he said.

"They hack in there with the information they have, then they can get into information that's stored on the Web, which included credit card information," he said. "Since then, emergency measures have been implemented and the site is being monitored around the clock to ensure this doesn't happen going forward."

Letters have been sent to each of the account holders who then contacted their banking institutions and credit card companies to prevent further breaches and additional fraud.

Harrington said the breach was noticed on Feb. 18, when two customers called and said their credit cards had been compromised with fraudulent charges.

"They had shopped here as well as other locations," Harrington said. "As a security precaution, we immediately notified our Web vendor that handles our Web site, as well as our (information technology) department internally, and started hunting for any breaches in security."

The investigation by the company's emergency response team determined that the original illegal entry happened Feb. 4. The system was locked down, passwords were changed, hard drives were removed and multiple new security layers and software were put in place to make sure something like this does not happen again, he said.

Harrington said he has no idea why a relatively small seed company in rural Maine would become the target of an Internet sting. He said the Johnny's security system was no easier and no harder to access than any other private business.

"We asked the same question -- why us?" he said.

Harrington said the company had installed "hacker safe" software before the breach, but the system was compromised anyway.

"It wasn't a Web site hack," he said. "It was a breach of security from outside, into our internal security system's network here in Winslow, from which they were able to gather enough information from looking at screens and passwords, to then get into the Web site undetected, grab that information and leave."

Harrington said Internet fraud is nothing new. He pointed to recent breaches at T.J. Maxx and Bank of America systems as two examples.

Johnny's Selected Seeds is a mail-order seed producer located in Albion and Winslow. The company was established in 1973 by Chairman Rob Johnston, Jr.

Harrington said 70 percent of the company's customers are commercial growers. The company exceeded $13 million in sales last year.

The company's export department ships seeds internationally and throughout the United States, both in retail and wholesale, and in small and large quantities.

Harrington said the company employs about 130 people this time of year in anticipation of the spring and growing season.

He said the breach and subsequent investigation, mailings to affected customers and software corrections have cost the company tens of thousands of dollars. "This has really put a financial burden on us in the short term," he said.

Harrington said he thinks the company's quick discovery of the breach and its quick action to alert customers prevented the additional use of the stolen credit card data.

"I think we prevented a lot of things by early detection," he said.

main page ATTRITION feedback