When cybercriminals hacked their systems, Ron Johnson, co-owner of Ultimutt, knew four things he needed to do. Here's what they were -- and what happened when Johnson did them.
"The encryption has been broken," said a foreign-sounding voice. At that news Ron Johnson and Lori Scherping found themselves in the middle of every business owner's worst nightmare
Ron Johnson and Lori Scherping live and work in their own small corner of paradise. They're comfortably settled on three and a half acres in the Arizona desert, where they frequently rise at 5:30 a.m. to weight train on the covered patio of their 2,700-square-foot home while their dogs, Diesel and Ranger, frolic in the expansive backyard. The couple's commute is about half a minute -- the time it takes to walk to the converted garage where they run their Web-based business, UltiMutt. From there, the couple design and sell posters that combine their passions: dogs (Scherping) and motivational quotes (Johnson). Revenues are relatively modest ($300,000 projected for this year), but the company supports the two and gives them what many would consider an enviable life. But you would not have envied Johnson and Scherping last April.
It was late in the day on April 10 when Johnson received a call from Jacqueline Haag, a customer in Colorado Springs, Colo. Haag had just finished an unsettling conversation with a "foreign sounding" man who claimed to be with "Web security" and identified himself only as Khalil. "I had ordered some posters from UltiMutt that night, and half an hour later I got this phone call from a very strange man," recalls Haag. "His English was difficult to understand, but he blurted out my credit-card number. He said to me, 'I'm a security person, and your card has been stolen. The encryption has been broken." The man told Haag that her card had been stolen from the UltiMutt Web site and that she should call the company's 800 number listed there. But Haag called her credit-card company first, only to discover that shortly after her $35 charge to UltiMutt had been processed, another charge for $658 had gone through. She canceled the card immediately, then called Johnson.
Johnson didn't quite know what to make of the call. Haag could have lost her card information someplace else. Maybe she didn't really understand online ordering. And "the encryption has been broken" comment? It sounded like something out of a bad espionage thriller. Nonetheless, Johnson thought it best to be prudent. He called his Web host, Web2010, in Orlando. "I relayed the customer's story and asked them to scan our logs for any unauthorized file access or any evidence of hacking," says Johnson. A technical-support person promised to get back to Johnson by 7 the next morning. Next, Johnson decided, just as a precaution, to pull UltiMutt's order-log file off the server and to give the new file a different name. In a final attempt to test the waters for signs of a security leak, Johnson logged on to his own Web site and placed an order, christening a brand-new credit card with no other charges on it. He would check it first thing in the morning. "I took a deep breath and said, 'OK, it's being taken care of," he recalls. Exhausted, but confident that he had done all that he could for the day, Johnson crawled into bed and slept soundly. A less sanguine Scherping tossed and turned beside him. She would not sleep well again for two weeks.
"I have a warriorlike mentality. I knew I needed to do four things: stop the hacking, understand it, find the thief, and control damages with our customers."
Johnson rose early the next morning and logged on to his E-mail, hoping for some positive news from Web2010. He got it. Overnight analysis of UltiMutt's Web site revealed no unauthorized access. Thinking he was probably in the clear, Johnson called his credit-card company. He got a nasty surprise. Someone had gone on an overnight spending spree with his card, racking up $3,000 in charges. "That put me in shock," he says. "The next two hours were panicked." He called Web2010 immediately. "You were wrong," he told them, "and here's the evidence." The company agreed to turn over the case to hacking expert Brad Godfrey, Web2010's "abuse manager," for a more sophisticated investigation.
In the meantime, Johnson E-mailed messages to UltiMutt's customers who had made purchases that month, indicating that there seemed to be a problem with security, that he would keep them informed, and that they should monitor the charges on their credit cards. He then began his own sleuthing. He was an engineer, a man who approached problems rationally and with persistence, endurance, and the assumption that very little was beyond his understanding. "I have a warriorlike mentality," he says. "I knew I needed to do four things: stop the hacking, understand it, find the thief, and control damages with our customers." The short time between his test order and the fraudulent charges on his account led him to believe that the credit-card-data stream was being intercepted. He spent the next several hours frantically telephoning the three companies that managed his site's credit-card transactions. Frustration and anxiety mounted each time Johnson was put on hold and passed on to yet another disinterested employee; he was in help-line hell. "In all cases, they refused to access our merchant account and do any traces on their end," says Johnson. "They just distanced themselves from the problem. Everyone wanted to point the finger at someone else, and one credit-card processor even told me I was crazy."
"We just didn't know where to turn," says Scherping. She wondered why Web2010 hadn't found evidence of the hacking in the first place, why the FBI's Phoenix field office had not followed up on Johnson's initial phone report, why the Secret Service agent who spoke to Johnson warned him about "limited resources," and, most painfully, why this had happened to them at all. Scherping, a certified public accountant and former internal auditor for a large copper company, was a detail-oriented person, an experienced trouble-spotter who prided herself on her ability to anticipate and deflect danger. The hackers had caught her off guard, and she felt as if she had failed somehow. Worse, she didn't have any idea how to make things right again, and she was beginning to think that she and Johnson should simply shut the site down. "I felt helpless," she recalls. "I could hear Ron's conversations -- everyone telling him, 'No, it couldn't be us.' I felt like I was going to explode. I felt like leaving." But she didn't. Instead, she hunkered down in front of her computer and scoured the Web looking for help with computer fraud until one site seemed to blur into the next. "I just felt so isolated," she says.
But what Scherping and Johnson didn't realize in those first few hours was that they were not alone at all. Countless other company owners who relied on E-commerce for the lion's share of their revenues had been under attack as well. Hackers from as far away as Eastern Europe and Indonesia had discovered a security leak in a particular brand of shopping-cart software -- a leak that allowed them to access sensitive customer data and to randomly steal credit-card numbers. About nine days earlier, the Tucker, Ga., software company that makes the shopping-cart software, which UltiMutt uses, had received gut-wrenching E-mail messages. "We were notified that an unknown group of malicious hackers was targeting PDG software and was compromising Web stores and stealing credit-card lists," says PDG Software president David Snyder. At about the same time, several of PDG's customers received the same taunting wake-up call by E-mail from the hackers. "This was the most serious problem of this nature that PDG has ever dealt with," says Snyder. Within hours PDG's software engineers plugged the leak by updating the shopping cart, and customer service sent out a flood of E-mail warning customers of the potential danger and offering them a free patch to correct the problem. Snyder contacted the Atlanta FBI bureau and learned that he could post a formal advisory on the National Infrastructure Protection Center (NIPC) Web site. NIPC, a four-year-old antiterrorism unit that operates within the FBI, coordinates investigations into data and communications-systems crimes. It recently came under some fire in a General Accounting Office report. "The center's information-sharing relationships are still evolving and will probably have limited effectiveness until reporting procedures and thresholds are defined and trust relationships are established," read the April 25 report summary. In fact, Johnson, disheartened by the lack of response from the FBI's Phoenix field office, called NIPC a couple of days after the hacking, only to be told that he should fill out a form that would then be forwarded to -- you guessed it -- the FBI's Phoenix bureau.
David Ford, a supervisory special agent with the FBI in Atlanta, confirms only that there is an "ongoing investigation" into the software problem, but he won't comment on the details of the case. PDG's name did appear prominently on the NIPC advisory, which mentions "numerous victim companies" and notes that "the vulnerability has already resulted in compromise and theft of important information, including consumer data."
Clearly, UltiMutt's attacker wasn't just some seedy hacker hunched over a keyboard in a dark room. Although Ford wouldn't comment on the possible international elements of the crime, he did confirm that "multiple" FBI offices were involved in the investigation. It was apparent to Johnson, however, that he was embroiled in a crime that extended beyond U.S. borders. Two days after Haag called him, Johnson received an E-mail message from an Indonesian man warning him that, during a chat-room discussion, "someone I didn't know...told me that your site have been hacked...may you have to increase your security." And while analyzing UltiMutt's order logs, Johnson came across another Web site's URL "in the middle of a sloppy hack" and guessed that it, too, was being broken into. Johnson shot off an E-mail warning to that site. Almost instantly, he received a reply from an Israeli, thanking him for the heads up and confirming that he believed his site had indeed been hacked and his customers' credit-card data stolen. The thieves, he wrote, had been shipping goods to addresses in Indonesia, Romania, and Macedonia.
Johnson was no stranger to the vagaries of entrepreneurship. He had started four other companies, invented more than a dozen products, and stood on the brink of disaster more than once. But never in his wildest dreams would he have predicted that tiny UltiMutt would be a target for a group of international hackers. In fact, the hackers cared only that UltiMutt used the PDG shopping cart, which they had learned how to exploit, and that the site contained valuable customer data. Those criteria applied to companies as small as Johnson's and to at least one large enough to have sensitive information for 30,000 customers on its order log. The hack, says Web2010's Brad Godfrey, wasn't even really that sophisticated. "The crook didn't log into the server through some mysterious, sophisticated electronic hack," he says. "Instead, they exploited a flaw in the shopping cart, and by carefully crafting a URL and running it in the address bar of the browser, they were able to search for the log file that recorded the credit-card numbers of previous orders." After that, it was just a matter of spreading the word.
"I couldn't believe we had done this to our customers. I felt like we had betrayed every one."
Increasingly, says the FBI's Ford, hackers have much better communications networks than most businesses do. They frequently rely on Internet chat rooms. "They go into these rooms and exchange hacking information, tools, methods, passwords, and stolen data," says Ford. "It makes it very easy for the community to share information about vulnerabilities in systems." And although the typical hacker used to be a lone wolf, Ford says, the E-commerce explosion has fueled a whole new breed of cybercriminal -- they're older, more inclined to work in groups, and much more likely to be motivated by profit than by mischievousness. This year's survey of 538 computer-security practitioners in U.S. corporations, government agencies, universities, and financial and medical institutions, conducted by the Computer Security Institute and the San Francisco FBI's Computer Intrusion Squad, revealed that 64% of respondents reported financial losses resulting from computer-security breaches; 70% said their Internet connection was a frequent point of attack. And the percentage of organizations that reported system penetrations from outside increased from 25% in 2000 to 40% this year. "... The threat from computer crime and other information security breaches continues unabated and ... the financial toll is mounting," the report concludes grimly.
For Johnson and Scherping, the attack could not have come at a worse time. They were on the verge of breaking even, and they had a new private investor who was close to writing a check. They had added new products to their line and were expanding their distribution to traditional retail outlets. Sales had been increasing at a steady 10% a month for the past 18 months, and the company was shipping to another new retail account almost every day. Three trade shows were on the calendar for the summer. Then Haag called on April 10, and, recalls Johnson, "the rest of our world went on hold."
Finding the security leak was only the beginning. Johnson had in fact solved that mystery. In a last-ditch effort to ferret out the leak, he called PDG and was told that there was, indeed, a problem with his version of the shopping-cart software and was offered the corrective patch. So why wasn't Johnson among the customers to whom PDG sent the E-mail advisory? It turns out that he had received a free, simplified version of the software from PSDM, a Web-development company that offered the special deal through UltiMutt's Web host, Web2010. Snyder says that PDG contacted all its resellers and asked them to inform their customers about the security issue. But PSDM owner Harold Boling says that because he installed Johnson's free cart two years ago and "stopped supporting the version in January 2000," he did not feel the responsibility to contact those who got the free version. "We pretty much left it to PDG," he says, adding that he "didn't even know how to get in touch" with many of the users. UltiMutt had, quite simply, slipped through the cracks.
Understanding how and why the hacking had occurred was small comfort to Scherping. The hackers had dumped UltiMutt's entire online customer database; they now had access to more than 900 credit cards. "I couldn't believe we had done this to our customers," she says. "I felt like we had betrayed everyone." Johnson then E-mailed a message to every customer, explaining what had happened and urging the customers to check their credit-card charges and to contact the FBI if they had been victimized. Return E-mail messages came flooding back, each one more painful than the last for Scherping to read. "She'd read one, get upset, share it with me verbally, and then I'd have to deal with it," says Johnson. "I told her, 'I don't want you to read any more of these -- you're pushing me over the edge."
More than 100 customers reported fraudulent charges, ranging from a few dollars up to $30,000. Jann Gath, in Long Beach, Calif., "got a call from a man who wanted to verify a computer purchase," she recalls. "I said, 'What computer?' I freaked out." When she called her credit-card company, Gath also discovered $1,500 worth of clothing purchases. Jeannie Tobias, in Cincinnati, checked her card after receiving Johnson's E-mail message and found that she had been ripped off. "When I got the E-mail [from UltiMutt], I thought, 'Oh, here we go again," says Tobias, who was victimized by hackers last year to the tune of $14,000. This time, she found only $50 in bad charges on her card, but even that was enough to sour her. "I won't charge through his company [UltiMutt] like that again," she says. "I've been burned."
Scherping agonized over the ordeal. The hacking had become a lens through which she viewed not only the business but also her role in it and, ultimately, her life. "I had questions about whether this was the best thing for our relationship," she says. "Our whole life is work." The couple discussed selling their house and moving to Phoenix, where Johnson would continue to run the business and Scherping would get an outside job. Or maybe Scherping would run UltiMutt and Johnson would strike out on his own. "The first priority was the relationship," says Johnson. At one point he suggested that Scherping return home to Minnesota for a break while he did damage control at UltiMutt. "I was trying to get her to leave for her own sanity," he says.
Fearful that Johnson would suffer under the workload without her, Scherping steeled herself and stayed put. "I love the product, and I love the people we're dealing with, and I didn't want to give up," she says. They had heard back from half of the customers they had E-mailed messages to, and the majority of the responses were good-natured and supportive. "May the fleas of a million ultimutts invade the hacker!!!" wrote one customer. And the customers who didn't respond at all? They're the ones whom Scherping worries about the most. "I do think we've lost a lot of them," she says.
For his part, Johnson puts a positive spin on the experience, taking a "whatever doesn't kill me makes me stronger" approach. He learned about Internet security the hard way and is now working on a way to completely eliminate the need to store customer data on his server. And while Scherping sees the customer- service glass as half empty, Johnson is heartened by the number of customers who did respond positively to his messages, and he sees this as his opportunity to create deeper relationships with them. But he's far from nave. He knows he could have lost his business, his lifestyle, maybe even the woman he loves. And he also understands that UltiMutt, a young, growing company just barely out of the starting gate, is certain to face more unexpected threats. Johnson just hopes that next time, he can actually see the enemy. "There are some business situations that play out like action films," muses Johnson. "Everything is focused on you, bullets are flying, good meets bad. Then there are situations, like this one, that are more like the Twilight Zone. You wake up in a strange town, and you search, but there's no one to be found anywhere."
Donna Fenn is a contributing editor at Inc.
Please e-mail your comments to email@example.com.<
DONNA FENN is the author of Upstarts! How Gen Y Entrepreneurs are Rocking the World of Business and 8 Ways You Can Profit From Their Success (McGraw-Hill, 2009), about ways Gen Y is changing the entrepreneurial landscape.