Ask HN: Crap, I just downloaded over 10000 Credit Card Numbers - Now What?

17 points by blaines ↗ HN
I'm a developer in the freelancing/early startup phase, and had a client ask me to look at their current CMS/Online Store. I found out that the service they're using is storing credit card numbers, names, addresses, phone numbers, and cvv - probably in plaintext too. Obviously this is NOT PCI Compliant!

I poked around a bit to see wtf is going on and unintentionally dumped the entire db of 10,000+ credit card numbers, cvv, etc. For ALL of the system's users!

I'm a good person, and I really would rather not use this information incorrectly, so what's the right thing to do that won't land me in jail?

If anyone is wondering the shopping cart service is apparently based in PHP.

Edit: I didn't make it clear enough, this is a service - like shopify - but definitely NOT shopify :) Appears to be locally operated, and has a good number of local clients.

27 comments

[ 3.2 ms ] story [ 72.5 ms ] thread
If you really are worried about jail time contact a lawyer and most probably delete any trace of the files.

If you aren't going to do that, or even if you are, contact the people who are storing this in plaintext and tell them why it is wrong perhaps even give an ultimatum for further action.

But you probably should talk to a lawyer first make sure you know what you should do.

- Did you delete db from your local computer? If not, do it now.

- Inform your client about the problem and how you can fix it.

- Fix it.

You should do a secure deletion. Generally, deleting a file just removes the pointer to it within the file system--it isn't overwritten immediately, and is still recoverable.

There are free utilities out there that delete securely. If you already deleted the file, which I think you posted is the case, there are also utilities that will overwrite the slack space on your drive, which will also make the file unrecoverable.

Obviously, just delete the file, tell your client exactly what happened and explain how you can help them secure their data better. Turn this accident into an opportunity.

Why are these things always so hard? Why bring a lawyer (who will charge money fo his services) in own it?

They are hard because there is always risk that an "obvious" decision will create civil or criminal liability. A lawyer can help you assess and mitigate that risk.
(comment deleted)
Don't forget to shred a file you want deleted.
Why are these things always so hard? Why bring a lawyer (who will charge money fo his services) in own it?

This is an awfully embarrassing situation for the company he's working for. They could decide to cut their losses and turn him into the police, betting that public outrage will focus on the malevolent thief instead of on their innocent security mistakes.

Or, if they're more worried about their liability (possibly including liability for theft already committed by less scrupulous employees or consultants,) then one way to sweep it under the rug would be:

1. Produce a serious and viable legal threat against the poster.

2. Use the threat to make him sign an agreement never to speak another word about their credit card problem.

3. End his contract.

4. Go on with whatever they want to do (fix the problem, or not) with much greater confidence that this will never publicly surface and bite them in the ass.

That wouldn't be a catastrophic outcome for the poster, but even in that situation I'd rather have a lawyer advising me.

While this is embarrassing for my client, they're only using the software as a service. So I'm more worried that my client may inform the service company, which is even more embarrassing for that organization. I know my client won't be upset, after all they're having me make their new CMS, but the software as a service company might not be so kind.
I'd like to make this an opportunity, but definitely want things done right first. Since this software isn't mine or my client's software, but a service company's, I'm a bit leery to just call them up and tell them, "Hey I have all the CC#'s for every transaction ever run through your system". So that's why I'm here asking for advice :)
I think what Amanjeev suggested is correct, don't call, better email (written) so that you can have some defensive point. and choose the correct words.
Is this a custom store or a package out there somewhere? The latter would be pretty scary.

When I purchased a business I found a DB with all customers CC info in it while doing my due diligence (it was a crappy cart system written by some guy overseas). The seller was surprised they were there, but didn't seem to grasp the gravity of the situation ($150,000 fine for example).

I had my purchase contract written to explicitly say that I was not purchasing the CC info, and I left no trace of the numbers on my computer. IANAL, but I figure if I didn't obtain the numbers and I don't have the numbers I should be fine.

I'd recommend you tell the client about the problem. Offer to fix it, and make sure there is no trace of it on your computer. Probably worth asking a lawyer, but I don't see what else you can do.

Thanks for the advice! It's a service - like shopify - but definitely NOT shopify :)

I'm just starting out, in college, so lawyers aren't in the budget...

Where I live, for under $10 the law society runs a hotline which you can call to be referred to a lawyer that can help your specific situation. As part of that referral service, you get a 30-45 minute consultation for free I believe. That's all you need right now. You might want to see if a similar service is offered where you live. See my other post in the thread stating why I think you need to speak to one.
Thats an interesting idea, and it's in the budget :) I'll have a look at my options.
In order to help I'm going to need the URL...

Just kidding.

1. Delete the data. 2. Call the client. 3. Explain what happened. 4. Prepare to be blamed. 5. Do the right thing anyway.

I agree with all the other responses in her (delete it, tell the client, etc). But, the fact you mention this is based on PHP - maybe you were trying to hint at the system, but it sounds like you are blaming the language.

This has nothing to do with the language and could just have easily been accomplished in any other language.

I agree with your statement - and I am blaming PHP a bit, it's gotten better over the years but I have some resentment toward it still.

I'll shift my blame to the developer for not completing their due diligence before writing software.

I think you need to tell this to your client in written. I believe that will help in future that you did inform them and your intentions were noble.

Also, then if I were you, I would try to keep my dev and personal computer more secure. I know that I am a freak that way. :)

Talk to a lawyer too. By posting this you no longer have plausible deniability in the event something bad happens down the road. For example, maybe your client is hacked and an investigation is opened by the credit card company who finds out that you had discovered gross negligence on the part of your client but had not reported it. I'm not sure if that opens you up to the chance of being sued. Somebody might have their identity stolen or the credit card company might want to recoup some costs. Maybe the client turns on you and somehow makes you a scapegoat.

Simply by posting this story, you may have opened yourself up to a lawsuit because an enterprising mind could follow your HN history and what you've posted here, put together enough clues, and find out the vulnerable system. They could hack it. No, you weren't directly responsible for it, but civil law is an entirely different beast than criminal law.

From what you are explaining, I doubt they know enough to know that you downloaded the files. In a case where the CC's are stored in the db, it's a really easy mistake to make accidentally downloading the CC's by doing a db dump. I do this for many of my projects just so that I have a backup in case I screw something up. If they were worried about something like this happening then they should have warned you or put it in a contract.

Alert the client. Shred the files. Offer to fix.

You keep a copy of credit card numbers and CVV unencrypted in a database? Why wouldn't you use a third party/gateway to deal with CC data storage?
When you use the gateway to store the CC data, then with most gateways you are stuck doing all future subscription billing on that card through that gateway. For many businesses, that is an unacceptable restriction.
Oh well that makes some sense - hopefully other companies are encrypting the data and not storing CVV.

The crazy part to me is that these guys are storing this information for years (One of the first rows was from 2002, and the last 2010) and they're not doing any kind of recurring billing/customer profile stuff. So if I make a purchase 10 times my card is stored 10 times.

To top it off, I went back on it while writing the client, and I don't even need a password to access data. I can create a valid session by setting a url parameter. :(

Hehe, no, I was talking about grabbing a copy of the database. We are assuming no knowledge that the database carries copies of CC #'s, or he wouldn't have done it. ;)
1. Tell your client to immediately switch to another service provider for his online store. When the current one gets hacked (note I said when, not if), your client's customers aren't going to care that it was a third party provider your client was using. They will look at it as they trusted your client and that trust was betrayed.

2. Perhaps an anonymous tip to Visa and Mastercard would be in order. The provider needs to be shut down, as what they are doing goes beyond any excusable security failure. Almost every developer, no matter how good, can botch security--and so if all they were leaking was credit card numbers, names, addresses, and phone number, it would be at least remotely forgivable, if they were to promptly fix it.

However, you said they have the CVV too. That is not supposed to be stored at all. Of course, an online store site has to keep it for the duration of processing the transaction, but that should only be a few minutes. The fact that they are storing CVV shows that they are beyond redemption.

3. As for the numbers and other data you downloaded, secure delete it. I doubt anyone is going to care much about it. I once had a file with about the same number of card numbers and contact information, which I received unsolicited, offered up as a sample of the 100k cards the sender wanted to sell me. I was able to do some checking and determine that the information was apparently legit.

I called Visa and (I think) American Express. I naively thought they would be interested in putting immediate holds on the accounts. Nope. The FBI was not interested either--they suggested that the Secret Service would be the appropriate agency to deal with someone trafficking in stolen credit cards. The Secret Service disagreed. Eventually the next day I found someone at Visa who asked me to mail her the list.