I tweeted a quick note about the 2010 Maine Department of Conservation state park pass ordering system breach. The brief AP story indicated that the breach itself was caused by a malware infection on systems at their SasS provider InfoSpherix.
While the article claims notices were sent to ~1,000 impacted card holders, there is no mention of the breach on the InfoSpherix news page and the only bit of information on the Maine DoC site is pitiful and uninformative:
Both organizations may have met the bare minimum legal requirements for beach notifications, but I find it shameful that they have not made the information more public. How are other companies supposed to learn from the mistakes of others and how will lack of open disclosure help consumers ask tougher questions prior to giving away they keys that unlock their finances?
It’s also pretty sad (but not uncommon) that the actual breach occurred on March 21st last year but wasn’t discovered until February of this year and that it took them over a month to report it out.
While there is the claim that the breach only impacted the park pass ordering system, InfoSpherix is a division of a larger organization that provides a plethora of services for recreational facilities. I’m actually a bit concerned that other systems may have been impacted (hey, if they didn’t detect it on these for almost a year…) and – if you’ve registered for a campground online – you have most likely used one of them. Not. Cool.
Oh yeah, before I forget, I wanted to ask InfoSpherix how that PCI compliance is working out for them? Perhaps checkbox stickers on the equipment would have helped stave off the intruders. #protip
You can at least read a few more details of the breach over at DataLossDB.
One Comment
A quick google search of InfoSherix reveals that their reservations division is http://www.reserveworld.com. They directly provide services to
Delaware State Parks
Georgia State Parks
Indiana State Parks
Larimer County
Maine State Parks
Maryland State Parks
Michigan State Parks
Minnesota State Parks
Missouri State Parks
New Mexico State Parks
Ohio State Parks
Orange County,CA
Pennsylvania State Parks
South Dakota State Parks
The Active Network acquired Infospherix in 2007 and then bought ReserveAmerica in 2009. According to many sources the company recently filed for IPO which is probably why they are keeping it hush hush.
References:
http://www.signonsandiego.com/news/2011/feb/15/active-network-files-for-ipo/
http://www.socaltech.com/active_network_buys_reserveamerica/s-0019558.html
http://www.freshnews.com/news/70079/san-diego-active-network-acquires-infospherix-acquisition-bolsters-active%E2%80%99s-government-bu