
Ask HN: Crap, I just downloaded over 10000 Credit Card Numbers - Now What? - blaines
I'm a developer in the freelancing/early startup phase, and had a client ask me to look at their current CMS/Online Store. I found out that the service they're using is storing credit card numbers, names, addresses, phone numbers, and cvv - probably in plaintext too. Obviously this is NOT PCI Compliant!<p>I poked around a bit to see wtf is going on and unintentionally dumped the entire db of 10,000+ credit card numbers, cvv, etc. For ALL of the system's users!<p>I'm a good person, and I really would rather not use this information incorrectly, so what's the right thing to do that won't land me in jail?<p>If anyone is wondering the shopping cart service is apparently based in PHP.<p>Edit: I didn't make it clear enough, this is a service - like shopify - but definitely NOT shopify :) Appears to be locally operated, and has a good number of local clients.
======
9oliYQjP
Talk to a lawyer too. By posting this you no longer have plausible deniability
in the event something bad happens down the road. For example, maybe your
client is hacked and an investigation is opened by the credit card company who
finds out that _you_ had discovered gross negligence on the part of your
client but had not reported it. I'm not sure if that opens you up to the
chance of being sued. Somebody might have their identity stolen or the credit
card company might want to recoup some costs. Maybe the client turns on you
and somehow makes you a scapegoat.

Simply by posting this story, you may have opened yourself up to a lawsuit
because an enterprising mind could follow your HN history and what you've
posted here, put together enough clues, and find out the vulnerable system.
They could hack it. No, you weren't directly responsible for it, but civil law
is an entirely different beast than criminal law.

------
tzs
1\. Tell your client to immediately switch to another service provider for his
online store. When the current one gets hacked (note I said _when_ , not _if_
), your client's customers aren't going to care that it was a third party
provider your client was using. They will look at it as they trusted your
client and that trust was betrayed.

2\. Perhaps an anonymous tip to Visa and Mastercard would be in order. The
provider needs to be shut down, as what they are doing goes beyond any
excusable security failure. Almost every developer, no matter how good, can
botch security--and so if all they were leaking was credit card numbers,
names, addresses, and phone number, it would be at least remotely forgivable,
if they were to promptly fix it.

However, you said they have the CVV too. That is not supposed to be stored at
all. Of course, an online store site has to keep it for the duration of
processing the transaction, but that should only be a few minutes. The fact
that they are storing CVV shows that they are beyond redemption.

3\. As for the numbers and other data you downloaded, secure delete it. I
doubt anyone is going to care much about it. I once had a file with about the
same number of card numbers and contact information, which I received
unsolicited, offered up as a sample of the 100k cards the sender wanted to
sell me. I was able to do some checking and determine that the information was
apparently legit.

I called Visa and (I think) American Express. I naively thought they would be
interested in putting immediate holds on the accounts. Nope. The FBI was not
interested either--they suggested that the Secret Service would be the
appropriate agency to deal with someone trafficking in stolen credit cards.
The Secret Service disagreed. Eventually the next day I found someone at Visa
who asked me to mail her the list.

------
walesmd
I agree with all the other responses in her (delete it, tell the client, etc).
But, the fact you mention this is based on PHP - maybe you were trying to hint
at the system, but it sounds like you are blaming the language.

This has nothing to do with the language and could just have easily been
accomplished in any other language.

~~~
blaines
I agree with your statement - and I am blaming PHP a bit, it's gotten better
over the years but I have some resentment toward it still.

I'll shift my blame to the developer for not completing their due diligence
before writing software.

------
pavs
\- Did you delete db from your local computer? If not, do it now.

\- Inform your client about the problem and how you can fix it.

\- Fix it.

~~~
ericb
You should do a secure deletion. Generally, deleting a file just removes the
pointer to it within the file system--it isn't overwritten immediately, and is
still recoverable.

There are free utilities out there that delete securely. If you already
deleted the file, which I think you posted is the case, there are also
utilities that will overwrite the slack space on your drive, which will also
make the file unrecoverable.

------
jschuur
Obviously, just delete the file, tell your client exactly what happened and
explain how you can help them secure their data better. Turn this accident
into an opportunity.

Why are these things always so hard? Why bring a lawyer (who will charge money
fo his services) in own it?

~~~
dkarl
_Why are these things always so hard? Why bring a lawyer (who will charge
money fo his services) in own it?_

This is an awfully embarrassing situation for the company he's working for.
They could decide to cut their losses and turn him into the police, betting
that public outrage will focus on the malevolent thief instead of on their
innocent security mistakes.

Or, if they're more worried about their liability (possibly including
liability for theft already committed by less scrupulous employees or
consultants,) then one way to sweep it under the rug would be:

1\. Produce a serious and viable legal threat against the poster.

2\. Use the threat to make him sign an agreement never to speak another word
about their credit card problem.

3\. End his contract.

4\. Go on with whatever they want to do (fix the problem, or not) with much
greater confidence that this will never publicly surface and bite them in the
ass.

That wouldn't be a catastrophic outcome for the poster, but even in that
situation I'd rather have a lawyer advising me.

~~~
blaines
While this is embarrassing for my client, they're only using the software as a
service. So I'm more worried that my client may inform the service company,
which is even more embarrassing for that organization. I know my client won't
be upset, after all they're having me make their new CMS, but the software as
a service company might not be so kind.

------
gexla
From what you are explaining, I doubt they know enough to know that you
downloaded the files. In a case where the CC's are stored in the db, it's a
really easy mistake to make accidentally downloading the CC's by doing a db
dump. I do this for many of my projects just so that I have a backup in case I
screw something up. If they were worried about something like this happening
then they should have warned you or put it in a contract.

Alert the client. Shred the files. Offer to fix.

~~~
blaines
You keep a copy of credit card numbers and CVV unencrypted in a database? Why
wouldn't you use a third party/gateway to deal with CC data storage?

~~~
tzs
When you use the gateway to store the CC data, then with most gateways you are
stuck doing all future subscription billing on that card through that gateway.
For many businesses, that is an unacceptable restriction.

~~~
blaines
Oh well that makes some sense - hopefully other companies are encrypting the
data and not storing CVV.

The crazy part to me is that these guys are storing this information for years
(One of the first rows was from 2002, and the last 2010) and they're not doing
any kind of recurring billing/customer profile stuff. So if I make a purchase
10 times my card is stored 10 times.

To top it off, I went back on it while writing the client, and I don't even
need a password to access data. I can create a valid session by setting a url
parameter. :(

------
bkrausz
Is this a custom store or a package out there somewhere? The latter would be
pretty scary.

When I purchased a business I found a DB with all customers CC info in it
while doing my due diligence (it was a crappy cart system written by some guy
overseas). The seller was surprised they were there, but didn't seem to grasp
the gravity of the situation ($150,000 fine for example).

I had my purchase contract written to explicitly say that I was not purchasing
the CC info, and I left no trace of the numbers on my computer. IANAL, but I
figure if I didn't obtain the numbers and I don't have the numbers I should be
fine.

I'd recommend you tell the client about the problem. Offer to fix it, and make
sure there is no trace of it on your computer. Probably worth asking a lawyer,
but I don't see what else you can do.

~~~
blaines
Thanks for the advice! It's a service - like shopify - but definitely NOT
shopify :)

I'm just starting out, in college, so lawyers aren't in the budget...

~~~
9oliYQjP
Where I live, for under $10 the law society runs a hotline which you can call
to be referred to a lawyer that can help your specific situation. As part of
that referral service, you get a 30-45 minute consultation for free I believe.
That's all you need right now. You might want to see if a similar service is
offered where you live. See my other post in the thread stating why I think
you need to speak to one.

~~~
blaines
Thats an interesting idea, and it's in the budget :) I'll have a look at my
options.

------
danielrm26
In order to help I'm going to need the URL...

Just kidding.

1\. Delete the data. 2\. Call the client. 3\. Explain what happened. 4\.
Prepare to be blamed. 5\. Do the right thing anyway.

------
wwortiz
If you really are worried about jail time contact a lawyer and most probably
delete any trace of the files.

If you aren't going to do that, or even if you are, contact the people who are
storing this in plaintext and tell them why it is wrong perhaps even give an
ultimatum for further action.

But you probably should talk to a lawyer first make sure you know what you
should do.

------
Amanjeev
I think you need to tell this to your client in written. I believe that will
help in future that you did inform them and your intentions were noble.

Also, then if I were you, I would try to keep my dev and personal computer
more secure. I know that I am a freak that way. :)

