Hacker Breaches Payments Site Webcertificate.com

Online payments provider Ecount confirmed to the E-Commerce Times on Monday night that a hacker or hackers breached security at its Web payment site, Webcertificate.com.

"We have reason to believe someone inappropriately accessed data," Ecount chief executive officer and president Matt Gillin told the E-Commerce Times.

According to Gillin, Ecount can only confirm that 25 out of its over 750,000 customer accounts were improperly accessed, but he added that the company's investigation is ongoing.

Gillin said that the company was "100 percent certain" that no Webcertificate accounts were used improperly. As part of Ecount's response to the hack attack, Gillin said that Ecount is reissuing account numbers for all of its customers, even though Internet security was breached for only a small number of the accounts.

Webcertificates are MasterCard-branded stored value cards that are accepted by e-tailers that accept MasterCard. In addition to using the cards online, consumers can pay an extra fee and purchase a plastic card for use offline.

Marketed as online gift cards, Webcertificates can be purchased online using a credit card or earned as a reward at a number of Internet sites, including MyPoints.com.

Card Numbers Elsewhere

Gillin said that earlier this week, there were indications of a hack attempt at Webcertificate that prompted an investigation by Conshohocken, Pennsylvania-based Ecount and its third-party security firm.

Based on the investigation, the company determined that a hacker had gained access to account information and was attempting to retrieve credit card numbers. However, Gillin stressed that no customer credit card numbers were at risk, because Webcertificate does not store credit card numbers on its servers.

"He believes he has credit card numbers, but what he has are Webcertificate numbers," Gillin said.

Because no credit card numbers were stolen, Gillin said that in Ecount's eyes, the "hack attempt failed."

Motive: Extortion?

Gillin believes the motive behind the attack was extortion, and said that Ecount was working with law enforcement to identify the person behind the hack attack.

Extortion has been the motive in other hacker attacks on e-tailers. In December 1999, a Russian teenager stole approximately 300,000 card numbers from CDUniverse.com and posted them online when the e-tailer refused to meet his US$100,000 extortion demand.

Customer Notification

Ecount sent e-mail to all Webcertificate customers Monday notifying them that new customer account numbers and passwords would be issued.

"You're receiving this new account number as a security precaution because we have reason to believe that some Webcertificate account information may have been inappropriately accessed," the e-mail reads. "We want to be perfectly clear: it is your Webcertificate information, not your credit card information, which may have been accessed."

The e-mail also advised consumers that "before making these changes, we evaluated your transaction history and confirmed that your account has been used properly and only by you."

Quick Response

Gillin said that all Webcertificate customers who had purchased plastic cards would be receiving new cards in the mail shortly.

Ecount won praise for its quick response from posters at the MyCoupons Internet message boards.

One poster wrote: "I think this was a very good thing for them to do considering from some companies we would just get a 'we're not responsible for this ... blah blah blah ...' So instead of waiting until more hacking happened, they went ahead and took action to prevent it."