SwimOutlet.com Data Breach Stats

Yesterday, Tues Jan 17, I received a 🐌 snail mail “Re: Notice of Data Breach” letter from SwimOutlet dated Jan 12, 2017. I’m having a hard time confirming the validity of this letter on the Internet. Using phrases in the letter, I’ve found a single match PDF on justice.oregon.gov. Based on the PDF on justice.oregon.gov YogaOutlet.com shares the same infrastructure and was also affected. Assuming it is real, incredibly SwimOutlet.com and YogaOutlet.com have no information about this on this website and I have no emails from SwimOutlet.com on this issue.

Here are some statistics I’ve calculated based on when I received the letter:

  • 204 days of credit card data may have been stolen
  • 79 days since credit card processor reported unusual activity to SwimOutlet.com
  • 79 days since “immediately began” “work[ing] with third-party forensic expert”
  • 28 days to confirm may have compromised credit card data
  • 22 days or more that the criminals were on the systems
  • 45 days SwimOutlet.com waited to notify customers after confirmation
  • 5 days more wasted in the time an email would have been received and snail mail was received.
  • 100% chance that debit and credit card data was stored insecurely: cardholder’s name, address, phone number, email address, card number, expiration date, and CVV
  • 2 pages of generic “remain vigilant” useless credit reporting bureaus reminding you how insufficient industry’s and government’s safeguards are.
  • 1 unlisted phone number that if lucky is actually a Subway in Wilkesboro, NC

  • Zero information published online by SwimOutlet.com / YogaOutlet.com
  • F grade for response and communicate by SwimOutlet.com
  • 0% chance I’ll trust these people with my payment information ever again

Here is the sample letter from justice.oregon.gov that seems to read verbatim to the letter I’ve received:

January 12, 2017

Re: Notice of Data Breach

Dear Sample A Sample:

For nearly 15 years at SwimOutlet.com, our customer service and online shopping experience have been our company’s top priorities, so we were dismayed to learn in late November that we had been the victims of a sophisticated cyber-attack that may have affected the security of our customers’ payment information.

We are contacting you personally to provide you with clear information about the incident, steps we are taking in response and action you can take to protect against fraud should you feel it is appropriate.

We apologize for the inconvenience this may have caused and can assure you that we worked hard with top security experts to make our site as safe as possible from these cyber-criminals going forward.

What Happened? On October 31, 2016, we began investigating some unusual activity reported by our credit card processor. We immediately began to work with third-party forensic experts to investigate these reports and to identify any signs of compromise on our systems. On November 28, 2016, we received confirmation of a sophisticated cyberattack in which a hack into our system may have compromised some customers’ debit and credit card data used at http://www.swimoutlet.com between May 2, 2016-November 22, 2016. The information at risk as a result of this event includes the cardholder’s name, address, phone number, email address, card number, expiration date, and CVV.

Our Response: What We Are Doing. We take the security of our customers’ information extremely seriously and we have been working with independent forensic investigators to determine what happened, what information was affected and to implement additional procedures to further protect the security of customer debit and credit cards. We are also working with the Federal Bureau of Investigations to investigate this incident. The software from the criminals that attacked our system has been removed and you can safely use your payment card at http://www.swimoutlet.com.

What You Can Do. Please review the enclosed Privacy Safeguards Information for
additional information on how to better protect against identity theft and fraud. We
encourage you to remain vigilant against incidents of identity theft by reviewing your account statements regularly and monitoring your credit reports for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order one, visit http://www.annualcreditreport.com or call 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of their credit report.

For More Information. Should you have any questions about the content of this letter or ways you can better protect yourself from the possibility of identity theft, we encourage you to call the dedicated assistance line, staffed by professionals who are experienced in working through situations like this, at (877) 237-5190, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 1219010417 when calling.

The security of your information is incredibly important to us and we let down our
customers, which is why we wanted to contact you as promptly and with as much detail as we could. We are truly sorry about this. The incident will only make us work harder to be the best aquatics shop on the web and serve our customers as best as we possibly can.

Sincerely,

Avi Benaroya
Chief Executive Officer, SwimOutlet.com

Minimalist Software is a Lot of Work

It is the right work. It is the most rewarding work. It is the most accessible and usable work.

I use the Vim plain text editor just often enough to ensure that I’m constantly forgetting how to use it, but when I am using it, I like to manage its plugins with vim-plugin.

Its creator works diligently to have it live up to being the “minimalist Vim plugin manager” and it shows in its easy of use and performance.

“vim-plug labels itself as “minimalist plugin manager” and I’m not in favor of adding more features to it. Unlike “modern” editors, Vim is basically a single-threaded, synchronous program, and to start a background process, you’ll have to use a bleeding-edge version of Vim or Neovim, while one of the strong points of vim-plug is its obsession with backward compatibility (almost all of its features work in archaic Vim 7.0 with Git 1.7)” ~junegunn

Junegunn inspires me! His incredibly generous is evident in the beautiful software he creates. Looking around his git repositories and issues trackers reveals a very thoughtful, generous and talented person.

Thank you Junegunn!

Account Reset Terror

Email subjects on emails from the end of last week:

I expect more emails like this over the next week. Only the last one — the blog post from my former employer Automattic — reflects a company taking appropriate steps:

We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.

It is frightening that “over 100,000 accounts for which the password given in the list matched the WordPress.com password”. That is over 14% of the gmail address that matched. Still I’m not sure that justifies the other service provider wholesale resetting all the gmail addresses that match.

I have accounts on a large number of services. It feels like I’m now regularly getting more required password reset emails and “If you didn’t make this request, it’s likely that another user has entered your email address by mistake and your account is still secure.”

Are IMDB and Etsy’s approaches good? Does it help customers?

Are real solutions to today’s authentication challenges on the horizon?

Joyeur

My start date at Joyent was Monday, August 19, 2013. At the end of this week, I’ll have been at Joyent for nine months.

Writing this post after nine months is a coincidence. The impedance for this post is actually my colleague Deirdré Straughan’s Joyent Retrospective.

The video is a “retrospective of the videos [Deirdré has] done in the last few years”. The video is wonderfully playful. Joyent CTO Bryan Cantrill appears to fidget along to the music.

The experiences highlighted in the video are the real gift. Deirdré links to all the the videos (with the exception of the internal meet-and-greet ones). Deirdré has done an incredible job leading Joyent sharing so much of its technical expertise.

Watching Joyent Retrospective brings to mind the journey I’ve been part of here. I thought I knew what I was getting myself into, but I really had no appreciation of the depth and pragmatic uniqueness of this team and technology. No company compares to Joyent in density of expertise in Infrastructure as a Service and as a product. This team has deep, deep, strong roots and continues to execute on its vision.

A better ride in the big city

Julia is sick, so I had to return her heavy photography lighting today. I was naive to the amount and weight of equipment that professional portraiture involves.

I was happy to take an Uber for free when I used PayPal as payment for the first time (expires Nov 28, 2013): http://blog.uber.com/paywithpaypal

If you don’t have an account, you can get another $10 credit using my referral code: http://www.uber.com/invite/uberlloydde

I’m relieved I didn’t have phone a taxi company only for one not to show, or to try to hail down a taxi. I’m too old for white-knuckled rides through the city.

I don’t use Uber much as I like to walk and use public transit. When I do need it, I’m very thankful for the service.

I’m terrible with names of people, addresses, and locations. Uber makes me feel more comfortable navigating San Francisco. I can enjoy San Francisco more. Uber is easy and it works.

Also, as a technology professional Uber inspires me.