[Dataloss] Cooks Illustrated magazine has a security problem

security curmudgeon jericho at attrition.org
Fri Feb 10 23:35:02 EST 2006 


---------- Forwarded message ----------
From: Richard M. Smith <rms at bsf-llc.com>
Date: Fri, 10 Feb 2006 23:18:21 -0500

http://www.cooksillustrated.com/webfaqs/


What happened to your website?

On January 30, 2006, we determined that a file was deleted from the "back 
office" part of our site. We do not know how, or by who, this file was 
deleted, but because we keep sensitive personal information about our 
website members on our servers, for security reasons we took all of our 
sites down immediately. Since February 3rd, our sites have been back up 
and running, although some limited functionality for website members has 
not yet been restored.

Was any of my personal information compromised?

As soon as we discovered that a file had been deleted from our website 
server, we immediately investigated the cause of this problem.  Our 
investigation has been unable to determine how, why, or by whom the files 
were deleted.  Although we do not have conclusive evidence that the file 
deletion was the work of an intruder, it is possible that an individual 
gained unauthorized access to our computers.  The deleted file did not 
contain any credit card information.  However, given the possibility that 
someone did gain unauthorized access to our system, we are notifying all 
website members that their credit card information may have been 
unlawfully accessed, and providing recommended steps that members should 
take to protect themselves from credit card fraud and identity theft.

Why did you not contact me before now?

As soon as we determined that a file had been deleted from our Internet 
server, we shut down our websites and disconnected our server from the 
Internet.  At the time that our websites were brought back up, we posted 
messages on our website homepages describing why our site was down and 
that we were investigating the cause of the file deletion.  As our 
investigation has ended without conclusive information as to how the file 
was deleted or whether an individual gained unlawful access to sensitive 
personal information, we are now contacting all website members with our 
findings and steps that they should take in case their sensitive personal 
information was, in fact, unlawfully accessed.

More information about the Dataloss mailing list