Auction.Net Hacked?
Friday, May 4, 2012 @ 4:48 PM
Prince George, B.C.- People who have registered with the CKPG online auction called “auction.net” have been sent an advisory to immediately cancel the credit card they have registered with that on line purchase program.
The email reads as follows:
“CKPG was advised on the evening of May 3, 2012 that the credit card information which our ckpgauction.net participants provided to its internet management service provider may have been compromised.
We have advised the RCMP and they are investigating the matter. If you provided your credit card information to participate in ckpgauction.net you should contact your credit card company immediately and cancel and replace your card to avoid any potential fraudulent use of your credit card.
CKPG and its internet management service provider are taking steps with the RCMP to cause the investigation and prosecute of this apparent criminal activity. We will provide any information we can as available but in your interest we urge you to take IMMEDIATE steps to mitigate risk of unauthorized use of your credit card information.”
It is believed a hacker may have managed to get into the data base of Borealis Internet, which manages the auction.net site.
On its own website, CKPG says “At this point its not clear whether credit card data was accessed.” They also note that while there have been no complaints of compromised cards, “an email has been sent to all participants, urging them to immediately cancel their credit cards and order a replacement.”
The RCMP have confirmed they are investigating but can offer no details so early in their investigation.
There is now a second issue on this matter. When CKPG issued a notice advising current and past AuctionNet users about the problem, they failed to "blind CC" the recipients of the email. That means hundreds of private email addresses, were emailed to every person signed up for AuctionNet. The Station issued an apology for that privacy breach about an hour after issuing the first notice.
Comments
hahaha, nicely done CKPG!
Who cares about the email addresses. Big deal that info is easy enough to get.
If true, what a massive blunder! Have they got 15 year olds working at that station?
I think 15 year olds would be more computer savvy than that.
Good point.
It’s a big pain to cancel your credit card…you are without a card until a new one gets mailed out. You have to contact anyone that you have auto-charges with and let them know their payment won’t go thru. Then when your new card gets in you have to contact them again with the new info. There should be some kind on compensation offered to everyone that has to go thru all that.
Why is everyone blaming the TV station? They were not the ones that got hacked. The credit card data was held by Borealis, they got hacked, the onus falls on them.
I was one of the ones affected and had to cancel my card, at least I received an email direct, informing me of the situation and did not have to wait and hear about it on the news.
Exactly spectre180, I was one as well & appreciated being contacted and when I called CKPG to get some further information my call was returned within 10 minutes & an apology, I will continue to support Auction Net.
Methinks I will remain a Luddite when it comes to NOT banking online. Besides, I wouldn’t want any teller to lose their job.
CKPG could just let people sign up without a card and give them ten days to pay for purchase or it goes back on the buy now site. Pretty easy really.
spectre: “Why is everyone blaming the TV station? They were not the ones that got hacked. The credit card data was held by Borealis, they got hacked, the onus falls on them.”
It doesn’t really matter. They are connected to CKPG Auction.net. As a result of this, people will probably be more hesitant to deal with them in the future.
With 17 years of web experience (largely in Prince George), I can tell you that this is exactly the sort of thing that should (by all rights) actually be happening more regularly.
The responsible operators use reputable credit card processing firms like PayPal and Moneris — the credit card information is *NEVER* stored on the PG based site.
It is very resource-intensive to program truly secure software, and then audit it to make sure you didn’t miss anything. Prince George businesses don’t have the money to be doing that themselves, so they either settle for a situation that leads to this, or they pay a third-party.
To CKPG: shame on you for not ensuring your service provider would undertake methods to secure this data. Double shame on you for not BCC’ing your membership, adding insult to injury.
To Borealis: shame on you for storing this data in a manner that could be compromised. Did you really think you were better programmers and security administrators than legitimate providers like Global Payments, Citigroup and TJX Cos.? (ref. http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html )
Great post, KrisB. Right on the money! (pun intended).
Comments for this article are closed.