Hacked!
For Johnson and Scherping, the attack could not have come at a worse time. They were on the verge of breaking even, and they had a new private investor who was close to writing a check. They had added new products to their line and were expanding their distribution to traditional retail outlets. Sales had been increasing at a steady 10% a month for the past 18 months, and the company was shipping to another new retail account almost every day. Three trade shows were on the calendar for the summer. Then Haag called on April 10, and, recalls Johnson, "the rest of our world went on hold."
Finding the security leak was only the beginning. Johnson had in fact solved that mystery. In a last-ditch effort to ferret out the leak, he called PDG and was told that there was, indeed, a problem with his version of the shopping-cart software and was offered the corrective patch. So why wasn't Johnson among the customers to whom PDG sent the E-mail advisory? It turns out that he had received a free, simplified version of the software from PSDM, a Web-development company that offered the special deal through UltiMutt's Web host, Web2010. Snyder says that PDG contacted all its resellers and asked them to inform their customers about the security issue. But PSDM owner Harold Boling says that because he installed Johnson's free cart two years ago and "stopped supporting the version in January 2000," he did not feel the responsibility to contact those who got the free version. "We pretty much left it to PDG," he says, adding that he "didn't even know how to get in touch" with many of the users. UltiMutt had, quite simply, slipped through the cracks.
Understanding how and why the hacking had occurred was small comfort to Scherping. The hackers had dumped UltiMutt's entire online customer database; they now had access to more than 900 credit cards. "I couldn't believe we had done this to our customers," she says. "I felt like we had betrayed everyone." Johnson then E-mailed a message to every customer, explaining what had happened and urging the customers to check their credit-card charges and to contact the FBI if they had been victimized. Return E-mail messages came flooding back, each one more painful than the last for Scherping to read. "She'd read one, get upset, share it with me verbally, and then I'd have to deal with it," says Johnson. "I told her, 'I don't want you to read any more of these -- you're pushing me over the edge."
More than 100 customers reported fraudulent charges, ranging from a few dollars up to $30,000. Jann Gath, in Long Beach, Calif., "got a call from a man who wanted to verify a computer purchase," she recalls. "I said, 'What computer?' I freaked out." When she called her credit-card company, Gath also discovered $1,500 worth of clothing purchases. Jeannie Tobias, in Cincinnati, checked her card after receiving Johnson's E-mail message and found that she had been ripped off. "When I got the E-mail [from UltiMutt], I thought, 'Oh, here we go again," says Tobias, who was victimized by hackers last year to the tune of $14,000. This time, she found only $50 in bad charges on her card, but even that was enough to sour her. "I won't charge through his company [UltiMutt] like that again," she says. "I've been burned."
Scherping agonized over the ordeal. The hacking had become a lens through which she viewed not only the business but also her role in it and, ultimately, her life. "I had questions about whether this was the best thing for our relationship," she says. "Our whole life is work." The couple discussed selling their house and moving to Phoenix, where Johnson would continue to run the business and Scherping would get an outside job. Or maybe Scherping would run UltiMutt and Johnson would strike out on his own. "The first priority was the relationship," says Johnson. At one point he suggested that Scherping return home to Minnesota for a break while he did damage control at UltiMutt. "I was trying to get her to leave for her own sanity," he says.
Fearful that Johnson would suffer under the workload without her, Scherping steeled herself and stayed put. "I love the product, and I love the people we're dealing with, and I didn't want to give up," she says. They had heard back from half of the customers they had E-mailed messages to, and the majority of the responses were good-natured and supportive. "May the fleas of a million ultimutts invade the hacker!!!" wrote one customer. And the customers who didn't respond at all? They're the ones whom Scherping worries about the most. "I do think we've lost a lot of them," she says.
For his part, Johnson puts a positive spin on the experience, taking a "whatever doesn't kill me makes me stronger" approach. He learned about Internet security the hard way and is now working on a way to completely eliminate the need to store customer data on his server. And while Scherping sees the customer- service glass as half empty, Johnson is heartened by the number of customers who did respond positively to his messages, and he sees this as his opportunity to create deeper relationships with them. But he's far from nave. He knows he could have lost his business, his lifestyle, maybe even the woman he loves. And he also understands that UltiMutt, a young, growing company just barely out of the starting gate, is certain to face more unexpected threats. Johnson just hopes that next time, he can actually see the enemy. "There are some business situations that play out like action films," muses Johnson. "Everything is focused on you, bullets are flying, good meets bad. Then there are situations, like this one, that are more like the Twilight Zone. You wake up in a strange town, and you search, but there's no one to be found anywhere."
Donna Fenn is a contributing editor at Inc.
Please e-mail your comments to editors@inc.com.<
