POWER V. CONNECTWEB TECHNOLOGIES, INC.

DATA BREACH #1

Vulnerable website: www.rubberstampchamp.com

Type of breach: Hacking or malware

Data Breach Range: 2015 (specific dates will be acquired by subpoena)

Affected Users: approximately 500,000 customers

Date(s) Individual Notice Provided to Consumers: NEVER

Was Substitute Notice Given? NO

Was Media Notice Given? NO

Was notification delayed because of a law enforcement investigation? NO

Location of Breached Information: NETWORK SERVER

Type(s) of Personal Information Involved in the Breach:

  • Social Security Number Information
  • Driver's License number or ID Card number information
  • Military ID number
  • Tax ID number
  • Credit Card Numbers w/ Full Name, Expiration Date, and CVV
  • Bank account numbers with name/address of owner
  • Medical Information
  • Unique biometric data (fingerprints)
  • Account credentials (username or email with password)

Vulnerability Details: China Chopper (Wikipedia)

Brief description of the breach:

Unauthorized persons gained root access to rubberstampchamp.com by exploiting a known vulnerability in third-party software. This vulnerability allowed arbitrary code execution with full privileges. Unauthorized persons were able to successfully upload code files and execute them with full privileges, allowing access to all personal and confidential data including all object and source code files, the SQL database and all user data including unencrypted personal and financial information.

The China Chopper executable and client file on the affected servers allowed persistant administrative access to the affected machines, even after the vulnerability which allowed the initial access into the system was closed.

Matthew Power used his expertise in command-line script execution to help Sergeant Timothy G. Lahan of the Forensic Group: Electronic Crimes division of the Boston Police to clone the entire Rubber Stamp Champ dedicated server's hard drive, and to copy its RAM memory to disk, in an effort to track the malicious foreign actors. Charles B. Parker, a Special Agent at the U.S. Department of Homeland Security (DHS) and United States Secret Service was also a witness to the evidence collection and received statements from Michael Beaulieu and Paul Beaulieu about their discovery of the attack and the malicious files found on the server. Neither department provided any assistance in patching the vulnerability, and the vulnerability remained unpatched for years. However, the likely intrusion path was via the Telerik Arbitrary Code Execution Vulnerability that was patched in March, 2020, five years later.

Offenses against the public:

Connectweb Technologies, Inc. - provider of hosting and information security services for Rubber Stamp Champ - knew about the vulnerability and did not contact the hundreds of thousands of affected or likely affected customers by postal mail as required by state law, even after being told by Visa, Inc. that they were the source of the theft of the credit card numbers.

Rubber Stamp & Button Champ (a sole proprietorship) knew about the vulnerability affecting or likely affecting hundreds of thousands of its customers and did not notify those customers by postal mail as required by state law.

Rubber Stamp & Button Champ did not notify the Attorney General of California about the breach affecting more than 500 California residents as required by CA state law.

By failing to notify affected customers of the data breach, both Connectweb Technologies, Inc, and Rubber Stamp & Button Champ owe the state of California the maximum penalty of $250,000 each.

Immanent Risk to National Security of the United States

Connectweb Technologies, Inc. took extraordinary steps to cover up the data breach and attempted to tarnish the pristine reputation of expert software engineer, Matthew Power, who witnessed the data breach, assisted authorities when they had trouble cloning the data from the server, and urged Connectweb to follow all federal and state laws regarding the notification of affected customers. When Connectweb refused to follow federal and state laws, Power became a whistleblower for the government, as it was known to him that many thousands of government employees and active military personal were affected by this vulnerability, which presented an immanent risk to national security.

The Coverup and Willful Violations of State and Federal Laws:

Connectweb Technologies, Inc. willfully violated each state law's rules about the notification of affected customers. More than 60 clients' websites were affected by this breach and Matthew Power created a custom application that continually scanned and detected alterations to the websites, in order to track the actions of the hackers. In addition to the theft of credit card data, which was reported to Connectweb Technologies, Inc. by Visa, Inc. who determined that Connectweb was the source of the theft of thousands of its cardholders' credit card data, the foreign actors would also continually stuff hidden links ("backlinks") in the bottom of the homepage of each infected website in an attempt to increase the SEO score for hundreds of other websites owned or operated by the hacking group.

Witnesses of the data breach to subpoena:

  • Michael Beaulieu (CEO/Treasurer of Connectweb Technologies, Inc.)
  • Paul Beaulieu (President of Connectweb Technologies, Inc.)
  • Visa, Inc. (determined source of credit card data theft to be Connectweb's servers)
  • Special Agent Charles B. Parker, U.S. Department of Homeland Security / United States Secret Service
  • Sergeant Timothy G. Laham, Boston Police (Forensic Group: Electronic Crimes)

Business cards given to Matthew Power on the day of their visit to Connectweb's office in Peabody, MA