This article provides an overview of a security incident that involved the transfer of a limited number of customer credit card and address details to a third party. You can find more details, including information on what to do if you believe you have been the victim of fraud, here.
On 16 November we became aware of a security breach in our systems. This security breach involved the transfer of customer credit card and address details to a third party. The breach affected customer accounts created on or after 19 August 2015.
When did it happen and why wasn’t I informed earlier?
Affected customers were contacted as soon as we were able to identify that an attack had been made and were able to identify which customers were affected.
Detailed timeline of events
On Friday 13 November we identified 3 customers whose subscription payments to us had failed as a result of suspected fraudulent payments being made on their cards. There was no reason at this stage for us to believe this was caused by us but it prompted us to investigate further. On Friday and over the weekend we were unable to identify any security issues. However, on Monday 16 our technical team identified two pieces of malicious code that had been placed on our systems. We immediately fixed the issue and identified a timeline for the attack. We used this timeline to identify customers who are affected. As soon as we were clear that an attack had been made we notified customers of the incident and any further actions we believed they should take.
What was the breach?
Our investigations identified two pieces of malicious code that had been placed on our server and in our database. These codes were transferring personal data from our secure payment pages to a another file on our server which was subsequently sending the data to an external site. Credit card details were not, and never have been, stored in our database or elsewhere on our server.
As soon as this code was identified we removed it and launched a more detailed investigation into the security of our payment systems.
Our payment pages continue to be served securely over HTTPS and our credit card processing facility, Stripe heavily protects and encrypts all customer data. Before data is sent to Stripe it is tokenised (as it always has been), meaning that even if external access were gained to the token that contains your data it could not be accessed in a format usable by an attacker.
How did the breach happen?
With an attack of this nature there are two possible causes. Either someone with approved access placed the code there, or an external attacker gained access to our systems and did the same. Given the level of access and knowledge of our systems required for this attack, and our existing security measures, we are focussing our investigations and follow up actions on the possibility of an internal attack.
At this time we do not believe that any external access to our systems was gained, nor do we believe that the type of data obtained could be extracted through an external attack.
However, we are keeping an open mind and continue to investigate all possibilities.
What happens now?
Our first step has been to review and limit access to our systems. Only a limited number of individuals now have access to our servers and databases and all relevant passwords and access controls have been changed. Within the EdPlace team only two people have access to these services. External contractors continue to require access - this access is limited to three trusted individuals.
We will be appointing an external security consultant to make a full review of internal security processes and will be implementing their recommendations as a priority.
We have also undertaken a review of any external vulnerabilities. We believe that our systems are secure from any external threats but are continuing to add further layers of security on top of our existing infrastructure. Our payment pages continue to be served securely over HTTPS and using an Extended Validation SSL certificate provided by Digicert. We continue to use Stripe as our payment gateway, which heavily protects and encrypts all customer data. Before data is sent to Stripe it is tokenised (as it always has been), meaning that even if external access were gained to the token that contains your data it could not be accessed in a format usable by an attacker. Credit card details are not, and never have been, stored in our database.
A further external review of overall site security will also be undertaken.
We’re confident we’ve identified and resolved the issue. The steps we’re making as part of our ongoing security review will ensure the highest level of protection going forward. Maintaining your privacy and protecting your data is our number one priority.
If you would like to speak to someone about this incident please email firstname.lastname@example.org or call us on 020 7183 9818.