14 DAY TRIAL // A new data breach has been recorded in the state of Vermont, with customers of Simms, retailer of high-end fishing gear, being caught in the hook by the cybercriminals.
Weston Fricke, vice president of finance at the company, says that the incident was discovered at the beginning of the month, on November 6, but malware had been planted on the online check-out system since September 1.
CVV codes have been exposed
The threat has been removed, although cybercriminals were able to access names, addresses and credit card information consisting of card number, expiration date and the CVV2 (card verification value) code.
Online merchants are recommended not to store the CVV2 code on their systems as it is against the Payment Card Industry Data Security Standard (PCI DSS), specifically to reduce the risk of fraud.
This code serves in online shopping sessions to verify that the buyer actually has the card in their possession at the time of purchase. Without this number, cybercriminals are not able to charge the card illegally, even if the card number, its expiration date and the name of the owner are known.
Complimentary identity theft protection provided for one year
In a letter addressed to the affected individuals, Fricke says that there is no indication that the stolen information has been misused.
The nature of the malware remains unknown at the moment, but Simms assures that all threats have been eliminated from their systems by the website hosting service. Law enforcement has been contacted and is offered full cooperation, Fricke says.
However, the company contracted the services of an identity protection service and is offering the impacted customers free membership for a period of one year. In case of fraud, the service will do the work to recover the financial losses, restore the credit, and ensure that no damage is imparted on the customer’s identity.
Despite the added protection, Simms still recommends clients to review financial statements on a regular basis and check the credit report. If suspicious activity is detected, the credit reporting agency should be contacted without delay.
Some of the clues that irregular activity has occurred include account or creditor inquiries that have not been initiated by the owner, or which are unknown.
“We recommend you remain vigilant with respect to reviewing your account statements and credit reports, and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the Federal Trade Commission,” the letter says.
