Security Breach Exposes Data on MLS Online Consumers

A wave of attacks making SQL injection on servers of a third-party Internet Service Provider (ISP) compromised an unknown number of people's personal data when they were shopping on the MLSgear.com Website of Major League Soccer during 2007.

Although the incident affected an unspecified number of individuals, MLS Vice-President and Deputy General Counsel, Michael Sapherstein, told Kelly Ayotte, Attorney General for New Hampshire, that of the persons affected, 169 individuals were inhabitants of Ayotte's state. SCMagazine reported this on February 11, 2008.

In a letter on February 1, 2008 Sapherstein said that the attackers might have accessed consumers' names along with their address, debit and credit card information, and passwords for the Website. SCMagazine published this on February 11, 2008.

The first report of the incident came from PogoWasRight.org, a blog that traces data breach. In addition, the blog published a link pointing to an alert from MLSgear.com to the New Hampshire Attorney General's office.

Sapherstein said that a computer forensic examination conducted on behalf of MasterCard and Visa revealed that the SQL attacks seemed to have taken place during January-August 2007. ComputerWorld reported this on February 8, 2008. Sapherstein said that the attacks targeted third-party servers hosting the customer data of MLS.

Sapherstein wrote that MLS has a policy of zero tolerance when the protection of its customers' private information is in question and consequently, they are snapping their ties with the e-commerce provider. The organization also notified the affected Internet shoppers.

Besides, in a post to the Consumer Protection and Antitrust Bureau site of the New Hampshire Justice Department, Mark Abbott, President of MLS, directed online shoppers to change their password for accessing MLSgear.com, reported SCMagazine on February 11, 2008.

In the opinion of security analysts, such attacks are likely to become commonplace, as too many Websites are open to them. In light of that, the important credit card organizations in July would start requiring merchants and retailers that allow payment through cards to deploy a firewall for all of their Web applications. Alternatively, they will have to submit code for custom application to the external security company to review vulnerability.

Related article: Securities Push Up A Must For Web Companies

» SPAMfighter News - 2/16/2008