Online daily deal company LivingSocial Inc. has contacted more than 50 million customers whose information may have been compromised in a recent cyber-attack, a company spokesman told BNA April 29.
“The information accessed includes names, email addresses, date[s] of birth for some users, and encrypted passwords--technically 'hashed' and salted' passwords,” the company said in an April 26 email to customers. “We never store passwords in plain text.”
However, “[t]he database that stores customer credit card data was not accessed or affected by the attack,” Andrew Weinstein, a spokesman for LivingSocial, told BNA.
LivingSocial added in a security notice on its website that the database that stores the financial and banking information of its merchants was not affected.
The company said that it is working with law enforcement agencies to investigate the attack.
Connecticut Attorney General George Jepsen (D) and Maryland Attorney General Douglas F. Gansler (D) have asked LivingSocial for more information about the possible impact of the data breach on consumers, according to a May 2 statement by Jepsen's office. The attorneys general have asked for a timeline of the incident; the number of affected individuals in each state; the types of data compromised; any reports or complaints about unauthorized charges; and a description of the company's security protections.
“For the business, [the attack] is a tremendous confidence shaker, as it likely will lead to people becoming more reluctant to use this service,” Kirk Nahra, partner at Wiley Rein LLP in Washington and a member of the advisory board for BNA's Privacy & Security Law Report, told BNA April 29. “These kinds of breaches also can have a broader impact on internet commerce in general, putting pressure on all businesses to beef up their security and address potential customer concerns.”
LivingSocial said on its website that it does not believe that any customer accounts have been compromised as a result of the attack. “It is difficult to decode a password that has gone through the hashing and salting process, and we have not received any abnormal reports of accounts with unauthorized charges or activity,” the company explained.
“What this means is that our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint)--that's the 'hash',” LivingSocial said. “To add an additional layer of protection, the 'salt' elongates the password and adds complexity.”
“This breach is a reminder of how much information is available on the internet and how precarious it can be,” Nahra said. “At a minimum, this breach involves a variety of data that can be packaged to learn a lot about people, including a variety of information that could lead to areas of concern … .” For example, he said, the attack could lead to the discovery of additional information, such as businesses that a LivingSocial customer has patronized.
In addition to increasing its monitoring of customer accounts, LivingSocial retired the passwords of affected customers and directed them to create new ones. It also encouraged those customers to consider changing their passwords on other websites where they use the same or similar passwords.
LivingSocial is notifying customers of the cyber-attack in every country in which it operates with the exception of South Korea, Thailand, Indonesia, and the Philippines, Weinstein said. The company's subsidiaries in those countries store their information on different servers, he explained.
“The security of our customer and merchant information is our priority,” LivingSocial Chief Executive Officer Tim O'Shaughnessy said in a notice to employees provided to BNA. “We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.”
By Katie W. Johnson
LivingSocial's customer notification and password change instructions page is available at https://www.livingsocial.com/createpassword.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).