14 DAY TRIAL // DLP Lamp Source, a distributor of replacement DLP and LCD lamps, is in the process of notifying its customers of a data-breach incident, which exposed their personal information and credit-card details. The company notes that the administration portion of its website was compromised by unknown attackers.
We have become aware of this incident after one of our readers, who prefers remaining anonymous, has forwarded us the notification letter (PDF) the company sent to its customers. The document does not go into very specific details, but notes that the breach was discovered recently and that law enforcement agencies have launched an investigation.
Even though it is specified that the website's administration interface has been compromised, there is no information about the method used by the attackers. It is mentioned that the website has been locked down and that "data source tables" have been cleaned, so we can speculate that this attack has involved some form of unauthorized data or maybe code injection.
The company offered some advice to its customers in the letter, but nothing more than it's legally required or already freely available. For example, the possibility of getting an annual credit report from the three major U.S. credit-reporting companies, Experian, TransUnion and Equifax, is mentioned.
The possibility to place a free fraud alert or security freeze on their credit file is also specified. However, there is no free credit-monitoring subscription being offered, as it is customary with significant data-breach incidents. The exact number of affected individuals or credit cards compromised has not been disclosed, but the exposed personal information is said to include at least the customers' names.
"We deeply regret that this incident occurred and take very seriously our obligation to protect the privacy of personal information," Dan Buchbinder, president & CEO of DLP Lamp Source, stressed. The company is currently examining security measures to implement in order to prevent similar breaches from occurring in the future.
We have contacted DLP Lamp Source and requested more information about the incident. We will return with more information when and if it becomes available.
Update (4 Aug 2009): One of our readers, who claims to be a DLP Lamp Source customer and to have received the same notification letter, informed us of fraudulent activity on his credit-card account, amounting to $600. We encourage other DLP Lamp Source customers reading this article to check their accounts on a daily basis and contact their banks about the best approach to protect their savings.
Update (5 Aug 2009): We have been in contact with the President of DLP Lamp Source, Dan Buchbinder, who has told us that due to the ongoing investigation he cannot discuss specific details about the data breach. However, he has stressed that customers will not be held liable by their banks for fraudulent charges that result from this incident.
Another important aspect that Mr. Buchbinder has been kind enough to reveal is that affected customers who contact the company are being offered a free, one-year subscription with a credit-monitoring service. The company can be reached at 1-866-764-5822 (toll free). "We are extremely apologetic for any concern or inconvenience this may have caused our customers," Mr. Buchbinder has added.
Correction: Our claim, previously made in the August 4 update, that the company failed to respond to our request for comment was bogus and we have corrected it. We confirm to have received an e-mail from Dan Buchbinder, president of DLP Lamp Source, on July 31 2009.