[Augster]

Anyone else get a letter from MileOne Automotive?

First I had my personal data and credit card info stolen off of Target's databases which my bank discovered illegal charge attempts against my account, just before the huge data theft made headline news nation/world-wide.

Now I get a notice from GetBMWParts that their website sales vendor, TradeMotion, just had a "Security Breach" wherein customer credit card information was stolen.

I'm getting pissed off with retail/online vendors in their apparently insufficient protection of our personal credit information.

This is only going to get worse unless significant changes are made to electronic payment methods, such as the proposal to incorporate smart chips into credit cards.

[bimmerdavid]

Yep, got the same thing!

[JS82]

I got the same letter.
Had to get a new card because illegal charges were made against my account because of that.
Really annoying!!!!!!!!

[NightStalker]

I usually order from "the bmw part store" never had problems like this with them

[John 070]

Don't you love when a health care (PPO or HMO) loses all member information (like 300,000+) because someone at a health fair had it on a thumb drive, lost it, and couldn't find it? All kidding aside since HIPPA you don't hear of that happening as much. But these eTailers are free to do what they want, and likely farm out their IT work to insecure and possibly shady vendors.

[iturbo_bmw]

hhm i didn't get a letter yet... but wells fargo did send me a credit card with a chip in it after the target thing...

[Zach1328]

Quote:

Originally Posted by John 070

Don't you love when a health care (PPO or HMO) loses all member information (like 300,000+) because someone at a health fair had it on a thumb drive, lost it, and couldn't find it? All kidding aside since HIPPA you don't hear of that happening as much. But these eTailers are free to do what they want, and likely farm out their IT work to insecure and possibly shady vendors.

IT work could be a part of it, but not even vendors can see their customers credit card info if they're using PayPal. On my E-Commerce site I don't accept orders over the phone for this very reason. Online payments only - all secured by PayPal.

An IT worker would still need to hack the cipher text which can't be understood by individuals, so a computer would need to format it into understandable information.

Anyways, GetBMWParts only uses a 128-bit encryption which is significantly less protective than a 256-bit encryption used by companies like PayPal. A 128-bit can be cracked in less than 1/4 of the time it takes to crack a 256-bit.

[Zach1328]

Wow. I'm surprised how outdated their security is.

They are using TLS 1.0 which came out in 1999! That's 15 years ago!!!
A security system developed in 1999 simply can't match a hacker with the technology available today.

[Ilove2dubb]

I also received it yesterday and I'm in Canada. I checked my credit card account and I do see charges which appear to be fraudulent.

[Johnny Boost]

There's nothing you can really do about it except pay in cash from now on in retail stores.

[ken1137]

Yeah, I received notification trade in motion but have not seen any illegal purchases.

I am all for a smart chip as long as it is not RFID (constant radio signal emitted). Thats another manner in which your personal data can be obtained by someone close or next to you if they have the appropriate equipment.

[alexwhittemore]

You'd be scared shitless just how secondary the concerns of security and privacy are on the internet. You'd be scared slightly-less-shitless at the proportion that's willful ignorance and development cost savings vs ineptitude. http://stilldrinking.org/programming-sucks

[fravel]

Got the letter, haven't seen anything fraudulent yet though.

[getBMWparts]

Dear valued getBMWparts.com customers and forum members,

Regarding the security breach notice our Corporation - MileOne Automotive recently sent only to customers recognized as potentially at risk - we can certainly understand your questions and frustration. As stated in the notification letter, however, the security incident did not occur on MileOne's systems or on our GetBMWParts.com or SubaruPartsDepot.com websites. Rather, the incident originated at one of our third party vendors, TradeMotion. TradeMotion is an e-commerce service provider that we, and hundreds of other online retailers (including other vendors on these forums), use to process online transactions including payment processing. Nonetheless, we recognize that you purchased one or more of our products and we take the privacy and security of our customers extremely seriously. That is why, despite the fact the incident did not originate with our systems, we took proactive steps to help you minimize potential harm from the incident.

As to any concerns regarding the timing of the incident and the notification, the dates identified in the letter reflect the period of time that TradeMotion has determined account information was vulnerable to unauthorized acquisition. The March 5, 2014 date is not the date when the security incident was discovered. Rather, it is the beginning of the security breach period which was determined after the breach was discovered and TradeMotion completed its investigation. The notice was provided only to customers identified as potentially at risk after TradeMotion completed its investigation, including the following:

• Notifying the appropriate law enforcement authorities;
• Investigating to determine the cause and scope of the breach;
• Investigating to determine which businesses' customer information was affected (because TradeMotion is a service provider for more than just GetBMWParts.com and SubaruPartsDepot.com);
• Implementing corrective action to secure the system to protect customer information from further compromise; and,
• Identifying the affected customers and the customer information that may have been compromised.

We continue to encourage you to take advantage of the complementary ProtectMyID program being offered through the notice. In addition to the ProtectMyID program, you are also encouraged to consider the "Additional Actions" described in the notice, including:

• Placing a fraud alert on the your consumer reporting agency file;
• Placing a security freeze on your consumer reporting agency file;
• Obtaining a copy of your free annual credit report from reporting agencies and reviewing it carefully for any discrepancies;
• Reviewing account statements carefully for signs of unauthorized transactions; and,
• Reviewing the FTC's identify theft website for additional information.

Should you have any additional questions or comments regarding this matter, please do not hesitate to contact us at getHelp@getBMWparts.com - further questions will not be answered here.

Sincerely,

getBMWparts.com
MileOne Automotive
Email: getHelp@getBMWparts.com

[FitzMLife]

I had several fraudulent charges back in March/April, this explains a lot.

[roadkillrob]

Quote:

Originally Posted by Fitz335

I had several fraudulent charges back in March/April, this explains a lot.

Me too, Amex had to reissue my card in April!

[007_e350]

Shouldn't affect PayPal right?? I paid them thru that

[nccoupe]

thought it was something local, got a call from my bank's fraud department that someone in Illinois had purchased $2600 in pizzas, shopping stuff (pier one, vicki's secret, gap) and was happy they caught it.... 4 days later i got a letter.... little bastards.

any way of getting a large discount on part for my troubles? jk

[iameric]

These things do happen unfortunately just be glad they disclosed it. I'm a project manager for an $8MM a year ecommerce company and during an audit we identified an unknown file on our server which was saving credit card information and being retrieved every few days. The source of the problem was a vulnerability in the ecommerce platform. Of course we told our customers effected and informed the authorities. The FBI got involved and we gave them complete access so they could run their own audits.

Attacks like this assuming it wasn't negligent are ultimately very hard to protect against 100% of the time. If there's a will there's a way.

[moonsin]

I also received this letter few days ago....This may explain the false charges on my account back in May

[Augster]

Quote:

Originally Posted by Jason@Tischer

As stated in the notification letter, however, the security incident did not occur on MileOne's systems or on our GetBMWParts.com or SubaruPartsDepot.com websites. Rather, the incident originated at one of our third party vendors, TradeMotion. TradeMotion is an e-commerce service provider that we, and hundreds of other online retailers (including other vendors on these forums), use to process online transactions including payment processing. Nonetheless, we recognize that you purchased one or more of our products and we take the privacy and security of our customers extremely seriously. That is why, despite the fact the incident did not originate with our systems, we took proactive steps to help you minimize potential harm from the incident.

Where the breach occurred is irrelevant nor how many commercial companies may be served by this "third party": GetBMWParts aka Tischer Internet Sales knowingly and deliberately contracted with this company to provide it's online transaction processing and customer information handling, therefore, is just as culpable in the insecurity of our personal information. Simply deflecting blame as being a "third party" problem is typical and pure equine excrement "damage control."

If the information posted from other members regarding the use of older and/or lesser security technology by this "third party" is true, then GetBMWParts aka Tischer Internet Sales is even more culpable because they did not do proper due diligence nor vetting of TradeMotion to ensure it truly can provide the necessary safeguards to protect private and privileged customer information.

[FlowState]

I got the letter too. Actually had two rounds of fraudulent purchases from some 3rd party vendor in Early May. Had to get a new card and all.

Definitely makes me not want to purchase from them again..