Network Solutions data breach stirs controversy

Network Solutions data breach stirs controversy

Network Solutions, a top provider of Internet services, is creating two sources of displeasure for retailers who pay the company to operate their online merchant accounts.

First, Network Solutions announced a data breach involving 4,348 merchant Web sites that extended from March 12 through June 8, 2009. Retailers fear they could lose business as a result.

Network Solutions also has opted to inform 573,928 affected credit cardholders of potential ID theft as a result of the data breach. Some retailers are protesting that Network Solutions is carrying out this ID theft investigation in a manner that could cause customers to blame the retailers for the data breach.

Network Solutions has announced that forensics investigators "determined that (an) unauthorized code may have been used to transfer data on certain transactions" during the nearly three months in question.

Representatives of Network Solutions assert that no related cases of credit card fraud have been uncovered as a result of the data breach. This may seem odd, considering that perpetrators of ID theft are known to proceed quickly before stolen credit card numbers are reported.

Various news reports indicated that the data breach occurred even though Network Solutions had been in compliance with the PCI Security Standards Council, a monitoring group created by five major credit card companies.

Most of the affected merchant accounts are operated by retailers with 10 or fewer employees, according to media reports quoting Susan Wade, Network Solutions' public relations director. Wade added that Network Solutions is contacting affected credit card holders through TransUnion, a credit and information management company best known for maintaining more than 500 million individual credit histories.

A research Web site for retail technology, StoreFrontBackTalk.com, is at the forefront of retail merchants' protests against Network Solutions regarding the data breach. The site reports that proposed customized letters to cardholders would begin by stating, "TransUnion is contacting you at the request of (insert merchant URL) and its credit software support partner, Network Solutions LLC."

Some retailers say the wording may give the impression that their small companies are equally responsible with Network Solutions for the data breach and the potential ID theft.

Wade said Network Solutions is reviewing the wording for possible changes. She told DMNews that the data breach and possible ID theft were discovered June 8 during routine procedures to comply with PCI standards. The unauthorized code was extremely complicated, said Wade, and forensics experts were not able to crack the code until July 13. At that point, Network Solutions contacted federal investigators, notified retailers with merchant accounts and contacted TransUnion to spread the word to credit cardholders.

Network Solutions will offer corrective action to retailers free of charge, Wade said, and will provide credit card holders with 12 months of free fraud monitoring from TransUnion.

Retailers should ask merchant account providers such as Network Solutions to report more promptly on data breaches and possible ID theft, said Amichai Shulman of Imperva, a database security company.

"I don't think (Network Solutions) did worse than others in such cases," Shulman said. "But I think that the industry standard is behind what customers expect."

Published: July 30,2023