Ask HN: Crap, I just downloaded over 10000 Credit Card Numbers - Now What?
I'm a developer in the freelancing/early startup phase, and had a client ask me to look at their current CMS/Online Store. I found out that the service they're using is storing credit card numbers, names, addresses, phone numbers, and cvv - probably in plaintext too. Obviously this is NOT PCI Compliant!
I poked around a bit to see wtf is going on and unintentionally dumped the entire db of 10,000+ credit card numbers, cvv, etc. For ALL of the system's users!
I'm a good person, and I really would rather not use this information incorrectly, so what's the right thing to do that won't land me in jail?
If anyone is wondering the shopping cart service is apparently based in PHP.
Edit: I didn't make it clear enough, this is a service - like shopify - but definitely NOT shopify :) Appears to be locally operated, and has a good number of local clients.
27 comments
[ 3.2 ms ] story [ 72.5 ms ] threadIf you aren't going to do that, or even if you are, contact the people who are storing this in plaintext and tell them why it is wrong perhaps even give an ultimatum for further action.
But you probably should talk to a lawyer first make sure you know what you should do.
- Inform your client about the problem and how you can fix it.
- Fix it.
http://srm.sourceforge.net/
There are free utilities out there that delete securely. If you already deleted the file, which I think you posted is the case, there are also utilities that will overwrite the slack space on your drive, which will also make the file unrecoverable.
Why are these things always so hard? Why bring a lawyer (who will charge money fo his services) in own it?
This is an awfully embarrassing situation for the company he's working for. They could decide to cut their losses and turn him into the police, betting that public outrage will focus on the malevolent thief instead of on their innocent security mistakes.
Or, if they're more worried about their liability (possibly including liability for theft already committed by less scrupulous employees or consultants,) then one way to sweep it under the rug would be:
1. Produce a serious and viable legal threat against the poster.
2. Use the threat to make him sign an agreement never to speak another word about their credit card problem.
3. End his contract.
4. Go on with whatever they want to do (fix the problem, or not) with much greater confidence that this will never publicly surface and bite them in the ass.
That wouldn't be a catastrophic outcome for the poster, but even in that situation I'd rather have a lawyer advising me.
When I purchased a business I found a DB with all customers CC info in it while doing my due diligence (it was a crappy cart system written by some guy overseas). The seller was surprised they were there, but didn't seem to grasp the gravity of the situation ($150,000 fine for example).
I had my purchase contract written to explicitly say that I was not purchasing the CC info, and I left no trace of the numbers on my computer. IANAL, but I figure if I didn't obtain the numbers and I don't have the numbers I should be fine.
I'd recommend you tell the client about the problem. Offer to fix it, and make sure there is no trace of it on your computer. Probably worth asking a lawyer, but I don't see what else you can do.
I'm just starting out, in college, so lawyers aren't in the budget...
Just kidding.
1. Delete the data. 2. Call the client. 3. Explain what happened. 4. Prepare to be blamed. 5. Do the right thing anyway.
This has nothing to do with the language and could just have easily been accomplished in any other language.
I'll shift my blame to the developer for not completing their due diligence before writing software.
Also, then if I were you, I would try to keep my dev and personal computer more secure. I know that I am a freak that way. :)
Simply by posting this story, you may have opened yourself up to a lawsuit because an enterprising mind could follow your HN history and what you've posted here, put together enough clues, and find out the vulnerable system. They could hack it. No, you weren't directly responsible for it, but civil law is an entirely different beast than criminal law.
Alert the client. Shred the files. Offer to fix.
The crazy part to me is that these guys are storing this information for years (One of the first rows was from 2002, and the last 2010) and they're not doing any kind of recurring billing/customer profile stuff. So if I make a purchase 10 times my card is stored 10 times.
To top it off, I went back on it while writing the client, and I don't even need a password to access data. I can create a valid session by setting a url parameter. :(
2. Perhaps an anonymous tip to Visa and Mastercard would be in order. The provider needs to be shut down, as what they are doing goes beyond any excusable security failure. Almost every developer, no matter how good, can botch security--and so if all they were leaking was credit card numbers, names, addresses, and phone number, it would be at least remotely forgivable, if they were to promptly fix it.
However, you said they have the CVV too. That is not supposed to be stored at all. Of course, an online store site has to keep it for the duration of processing the transaction, but that should only be a few minutes. The fact that they are storing CVV shows that they are beyond redemption.
3. As for the numbers and other data you downloaded, secure delete it. I doubt anyone is going to care much about it. I once had a file with about the same number of card numbers and contact information, which I received unsolicited, offered up as a sample of the 100k cards the sender wanted to sell me. I was able to do some checking and determine that the information was apparently legit.
I called Visa and (I think) American Express. I naively thought they would be interested in putting immediate holds on the accounts. Nope. The FBI was not interested either--they suggested that the Secret Service would be the appropriate agency to deal with someone trafficking in stolen credit cards. The Secret Service disagreed. Eventually the next day I found someone at Visa who asked me to mail her the list.