Hacked!

"The encryption has been broken," said a foreign-sounding voice. At that news Ron Johnson and Lori Scherping found themselves in the middle of every business owner's worst nightmare

Ron Johnson and Lori Scherping live and work in their own small corner of paradise. They're comfortably settled on three and a half acres in the Arizona desert, where they frequently rise at 5:30 a.m. to weight train on the covered patio of their 2,700-square-foot home while their dogs, Diesel and Ranger, frolic in the expansive backyard. The couple's commute is about half a minute -- the time it takes to walk to the converted garage where they run their Web-based business, UltiMutt. From there, the couple design and sell posters that combine their passions: dogs (Scherping) and motivational quotes (Johnson). Revenues are relatively modest ($300,000 projected for this year), but the company supports the two and gives them what many would consider an enviable life. But you would not have envied Johnson and Scherping last April.

It was late in the day on April 10 when Johnson received a call from Jacqueline Haag, a customer in Colorado Springs, Colo. Haag had just finished an unsettling conversation with a "foreign sounding" man who claimed to be with "Web security" and identified himself only as Khalil. "I had ordered some posters from UltiMutt that night, and half an hour later I got this phone call from a very strange man," recalls Haag. "His English was difficult to understand, but he blurted out my credit-card number. He said to me, 'I'm a security person, and your card has been stolen. The encryption has been broken." The man told Haag that her card had been stolen from the UltiMutt Web site and that she should call the company's 800 number listed there. But Haag called her credit-card company first, only to discover that shortly after her $35 charge to UltiMutt had been processed, another charge for $658 had gone through. She canceled the card immediately, then called Johnson.

Johnson didn't quite know what to make of the call. Haag could have lost her card information someplace else. Maybe she didn't really understand online ordering. And "the encryption has been broken" comment? It sounded like something out of a bad espionage thriller. Nonetheless, Johnson thought it best to be prudent. He called his Web host, Web2010, in Orlando. "I relayed the customer's story and asked them to scan our logs for any unauthorized file access or any evidence of hacking," says Johnson. A technical-support person promised to get back to Johnson by 7 the next morning. Next, Johnson decided, just as a precaution, to pull UltiMutt's order-log file off the server and to give the new file a different name. In a final attempt to test the waters for signs of a security leak, Johnson logged on to his own Web site and placed an order, christening a brand-new credit card with no other charges on it. He would check it first thing in the morning. "I took a deep breath and said, 'OK, it's being taken care of," he recalls. Exhausted, but confident that he had done all that he could for the day, Johnson crawled into bed and slept soundly. A less sanguine Scherping tossed and turned beside him. She would not sleep well again for two weeks.

"I have a warriorlike mentality. I knew I needed to do four things: stop the hacking, understand it, find the thief, and control damages with our customers."

Johnson rose early the next morning and logged on to his E-mail, hoping for some positive news from Web2010. He got it. Overnight analysis of UltiMutt's Web site revealed no unauthorized access. Thinking he was probably in the clear, Johnson called his credit-card company. He got a nasty surprise. Someone had gone on an overnight spending spree with his card, racking up $3,000 in charges. "That put me in shock," he says. "The next two hours were panicked." He called Web2010 immediately. "You were wrong," he told them, "and here's the evidence." The company agreed to turn over the case to hacking expert Brad Godfrey, Web2010's "abuse manager," for a more sophisticated investigation.

In the meantime, Johnson E-mailed messages to UltiMutt's customers who had made purchases that month, indicating that there seemed to be a problem with security, that he would keep them informed, and that they should monitor the charges on their credit cards. He then began his own sleuthing. He was an engineer, a man who approached problems rationally and with persistence, endurance, and the assumption that very little was beyond his understanding. "I have a warriorlike mentality," he says. "I knew I needed to do four things: stop the hacking, understand it, find the thief, and control damages with our customers." The short time between his test order and the fraudulent charges on his account led him to believe that the credit-card-data stream was being intercepted. He spent the next several hours frantically telephoning the three companies that managed his site's credit-card transactions. Frustration and anxiety mounted each time Johnson was put on hold and passed on to yet another disinterested employee; he was in help-line hell. "In all cases, they refused to access our merchant account and do any traces on their end," says Johnson. "They just distanced themselves from the problem. Everyone wanted to point the finger at someone else, and one credit-card processor even told me I was crazy."

"We just didn't know where to turn," says Scherping. She wondered why Web2010 hadn't found evidence of the hacking in the first place, why the FBI's Phoenix field office had not followed up on Johnson's initial phone report, why the Secret Service agent who spoke to Johnson warned him about "limited resources," and, most painfully, why this had happened to them at all. Scherping, a certified public accountant and former internal auditor for a large copper company, was a detail-oriented person, an experienced trouble-spotter who prided herself on her ability to anticipate and deflect danger. The hackers had caught her off guard, and she felt as if she had failed somehow. Worse, she didn't have any idea how to make things right again, and she was beginning to think that she and Johnson should simply shut the site down. "I felt helpless," she recalls. "I could hear Ron's conversations -- everyone telling him, 'No, it couldn't be us.' I felt like I was going to explode. I felt like leaving." But she didn't. Instead, she hunkered down in front of her computer and scoured the Web looking for help with computer fraud until one site seemed to blur into the next. "I just felt so isolated," she says.