Publisher exposes credit card info on net

By RICHARD WOOD

Hundreds of credit card numbers were exposed online at the weekend on the website of magazine publisher Trends Publishing.

A simple web address on Trend's secure server went directly to the folder holding transactions, which were dated between May 19, 2002 and October 4, 2002.

Web designer Randal Hedges acknowledged the security lapse, which allowed details including credit card numbers, email addresses and physical names and addresses to be accessed across the internet.

Hedges said the problem began on Friday.

He fixed it once the Herald got in touch with him yesterday morning.

"We are reasonably confident the risk is very low," he said.

Hedges said the problem was caused by the migration of the website to another server and the failure to set the security on the new Machine.

The web system Trends used for ecommerce was not commonly used or suitable for the task.

A decision had since been made to replace it with Microsoft's ASP and SQL Server, he said.

"We are migrating off this technology because it actually has a couple of problems other than just the one you've seen," he said.

These had previously been sorted out.

On the other hand, publisher and managing director David Johnson said he believed that someone with intimate knowledge of the system had broken the site's security, leaving the firm exposed.

"You have to have inside knowledge of the site and how it was built."

Johnson said it might have been a set-up where the security was switched off.

"It had to have taken a code to get into the site, to break into our secure server."

The firm sought banking and legal advice yesterday and apologised to the customers in an email, saying the problem was fixed and would not happen again.

The email said it was unlikely customer details were compromised but suggested they keep an eye on their credit card statements and get their cards replaced.

Martin Kleinjtes, national manager of the police electronic crime laboratory, agreed that in this situation every customer involved should be notified immediately so they could take action with their bank and change cards.

"Security of these people's information has been compromised and it has to be dealt with in getting a new card."

It was the responsibility of the cardholders to notify their respective banks, he said.

One of the customers involved described the incident as pretty scary.

She said she usually used her card on New Zealand sites only because "you have a preconception that things are rather safe using New Zealand internet sites".

When she spoke to WestpacTrust through its 0800 service the bank moved immediately to block the card and issue another.

WestpacTrust spokeswoman Jane Anderson told the Herald that credit cards were very safe.

Much of the risk attached to a credit card fell on the banks and the merchants.

"I wouldn't give my credit card number unnecessarily, and I don't think it's a helpful thing to have happened, but I think customers are well protected."

BNZ spokeswoman Jackie Millar agreed.

BNZ credit cards would be replaced free of charge in such a case, she said.

Regarding merchant liability, she said merchants were obliged to keep cardholder details protected.

But in such circumstances the BNZ would work with a merchant case by case.