There was unauthorized access to an administrative account of the midwestsupplies.com website using the credentials of a Midwest Supplies employee but originating from a foreign country.



That account was used to upload a malicious command shell to the midwestsupplies.com web content server. This file was disguised as a graphics file.



The command shell was used to insert 2 lines of malicious code into the web servers payment module. The malicious code was designed to intercept a copy of the cardholder data that was being submitted for authorization to Authorize.net, a VISA company (a variant of a man in the middle attack commonly called a double mailer).



The cardholder data elements at risk include PAN, CVV, Expiration Date, Name, Address, Phone and Email.

Most customers were not at risk. At risk were only those customers who entered credit card information. Customers who had stored their sensitive cardholder data elements prior to the time of the breach or who used PayPal were not at risk.

We have confirmed that all malicious code has been removed from the web servers and have fully audited the web sites source code for any unauthorized changes.



We have limited even further the access to our administrative functionality of all of our web applications and made universal the requirement to use random but strong passwords generated by password management utilities in cases where we did not do so before.



We have reconfigured all of our web servers to prevent the execution of code from unauthorized directories.



We have added intrusion detection and file system monitoring processes and tools to detect unauthorized attempts to modify content on our web servers.



We hired an independent third-party auditor to confirm that we do not unknowingly store sensitive cardholder data such including PAN, CVV or Expiration Date; as we have said before, all of this information is stored for by Authorize.net, a VISA company, for the convenience of customers.



We have added to our information technology group a leader with skills and experience consistent with our scale and complexity.



We must maintain constant vigilance against those nameless people who would do us harm.



We needed to communicate better by providing additional updates that would not have compromised the on-going investigation of law enforcement into what is a crime.



If we had provided those additional facts about what we know and what we have changed, we would have reduced speculation.



We did not appreciate fully that some of you would fear that the theft of sensitive cardholder data would place your identity at risk. If you are concerned about this, we will, of course, arrange for one year of credit monitoring for you at our cost.

