SAN DIEGO Internet retailers have worked hard to squelch
consumer fears of credit card number theft, using sophisticated
encryption and other high-tech strategies to make online shopping
But the industry's security image took another blow with the
disclosure that the credit card database of a health products
supplier was open to hackers for a few hours this week.
Word of the security breach at Global Health Trax Inc. comes as
credit card companies are canceling thousands of cards because
someone pilfered their numbers from CD Universe, a Web music
seller. The card companies say the CD Universe case, uncovered
Monday, has resulted in the largest mass-cancellation of cards they
"When someone hacks a site, it raises a lot of questions to the
consumer," said Chris Merritt, of the Atlanta-based retail
consulting firm Kurt Salmon Associates. "They are thinking, `You
told me that you have a secure site, but how do I really know if it
Internet shopping doubled last year to $15.6 billion, said David
Schatsky, an Internet commerce analyst for Jupiter Communications
in New York. But security remains the top concern of consumers and
could slow the industry's growth.
It could also prompt consumers to gravitate toward the
established Internet retailers and away from lesser-known
start-ups, Merritt said.
Global Health Trax, based in Poway, east of San Diego, is one of
the less-established retailers. The company sells dietary
supplements to about 3,500 distributors nationwide and has annual
sales of about $3.5 million, executive vice president Lorin Dyrr
Distributors can go to the company's web site,
www.ghtonline.com, and enter their credit card number on an order
form that is e-mailed to the company.
On Monday, account information on several hundred distributors,
including home telephone numbers and bank account and credit card
numbers, was open to hackers on the company's old web site,
www.globalhealthtrax.com, Dyrr said. That site was abandoned a year
The company said it believes the breach was a case of corporate
sabotage by former employees and few people accessed the numbers.
The customer files were exposed because the person who helped to
design the Web site left the files on an unsecured part of the
site, the company said. Anyone with the correct Web address could
have access it. It is unclear how that address was publicized, if
The customer information was available for a few hours and at
least two people accessed the site, including a reporter for the
Internet/cable TV news service MSNBC who contacted the company
Monday about the glitch, Dyrr said.
The reporter said he was alerted to it by a "concerned
technology worker," who Dyrr believes is one of the culprits and
the other person who accessed the site.
Dyrr said five distributors canceled their accounts after MSNBC
reported the breach Tuesday. Other customers said they had noticed
odd account transactions or credit card charges in recent months,
some for as little as $70.
"This kind of sabotage can happen in any type of company,
Internet or not. If we didn't have a computer system, they could
take this information and fax it all over the planet," Dyrr said.
This is a different scenario from Connecticut-based CD Universe.
In that case, an unidentified hacker, who described himself as a
19-year-old from Russia, claimed to have stolen 300,000 card
numbers by exploiting a flaw in security software.
He said he sent a fax to the company last month offering to
destroy his credit card files in exchange for $100,000. When the
company refused, he used a Web site called Maxus Credit Card
Pipeline to distribute up to 25,000 of the stolen numbers.
Since then, credit card companies and banks have worked with CD
Universe to locate their customers who used the online retailer.
Wachovia, the nation's 16th largest bank, offered to reissue
2,000 cards to its customers who bought from CD Universe, but found
no cases where the cards had been fraudulently used, said Charlie
Hegarty, a bank executive.
"You could say it was a bit of overkill at this stage of the
game, but we wanted to give our customers that extra bit of
assurance," Hegarty said.
Credit card users are generally liable for only $50 of
unauthorized charges. The issuers pay the rest.
Discover Financial Services is reissuing cards for more than
10,000 customers, spokeswoman Cathy Edwards said. Visa and
MasterCard are working with banks, which issue their cards, to
identify CD Universe customers.
American Express is also reissuing cards, but spokeswoman Judy
Tenzer declined to specify how many customers were affected.