Canadian online pharmacy PlanetDrugsDirect.com has contacted customers warning them that their data might have been exposed in what they euphemistically describe as a "data security incident".
In an email
seen by Bleeping Computer, the website warned that exposed personal data could include the following:
- Customer names
- Postal addresses
- Email addresses
- Phone numbers
- Medical information (including prescriptions)
- Payment information
The email is, unfortunately, somewhat lacking in detail - meaning that concerned customers may have to contact PlanetDrugsDirect via email or telephone to ask questions such as:
- What was the nature of the security breach?
- How did you find out about the security breach?
- When was the security breach first detected?
- How many customers are affected?
- Have you informed law enforcement agencies?
- If an unauthorised individual or malicious hacker had access to the data, how long did they have access to the data?
- When you say "payment information" was exposed, I presume you mean payment card details? Could the security breach have exposed full or partial credit card details? What about expiry dates and CVV codes?
It's not necessarily the case that PlanetDrugsDirect knows the answer to all of these questions. For instance, the security breach may only have come to light after the website's customer data was found posted online, meaning that the company knows that it has suffered a security breach but not necessarily how or when.
However, some of the questions definitely could be answered - and it's disappointing that the online pharmacy has not yet been more forthcoming with details of what has occurred, considering the sensitive nature of the data which could be at stake.
I also feel irked that the website itself appears to make no mention of the "recent data security incident", which would be an effective way to warn more users.
PlanetDrugsDirect does, however, say that it has not seen any evidence to suggest that account passwords have been compromised. So I support that's some small mercy. Although if I were a customer I would probably not feel entirely reassured and seek to reset my password anyway.
For now, PlanetDrugsDirect tells customers that they should keep a close eye on their credit card and bank accounts in case there are any suspicious transactions.
There is a very real concern that fraudsters could use information compromised through a security breach like this to steal money and target individuals. What makes it particularly galling is that Canadian online pharmacies typically cater for American customers who are finding it difficult to pay the artificially high prices set by the US pharmaceutical industry.
In other words, it's those most in need who might be the most at risk.
Stay safe folks, and if you see signs of fraud or suspicious activity in your financial statements be sure to inform your bank as soon as possible.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
