The Toronto Star
Wednesday, July 21, 1999
pages D1,D4

Security lesson on the Web

Robust retail figures have been compelling companies to get wired to gain market share in E-commerce transaction in Canada and the United States worth $14.9 billion (U.S.) last year. One firm, Seattle-based MegaDepot, which sells office suppliers online, was so confident of security it offered to cover losses up to $100 if a credit card was used fraudulently. So how could people get access to a confidential database of customer information -- including credit card numbers -- just by typing in an Internet address?

Security breach teaches firm an online lesson

by Ellen Roseman, erosema@thestar.ca

MegaDepot, an online office supplies retailer, was so confident of security it offered to cover losses up to $100 if a credit card was used fraudulently.

So how could I (and several others) get access to a confidential database of customer information, including credit card numbers, just by typing in an Internet address? And now the security breach has been repaired, what does this mean for other online retailers struggling to win consumer trust?

Let me quote from some E-mail I received after yesterday's column appeared.

"I was shocked by your article about MegaDepot.com", writes Jamie. "I ordered a $2,000.51 computer and a memory card last Thursday, but luckily by cheque!

"I was seconds away from ordering by credit card, but had a gut feeling that something wasn't right about ordering by credit card online for that amount of money."

Another customer, Alvin, got a call from MegaDepot at 12.30 a.m. yesterday telling him about the security breach.

"I was quite freaked out when I heard my credit card number was floating out there and immediately cancelled my card", he says. "Hopefully nobody rang up any charges, but this makes me very cynical of E-commerce, where before I trusted the security of E-commerce very much."

Both readers had the right instincts. Yes, be cautious about using your credit card online. And yes, cancel your credit card if there's a security problem at a site you patronize.

But don't rule out Internet buying, at least not yet.

Shopping in conventional stores can be frustrating and time-consuming. Electronic commerce promises more convenience, lower prices, better service, broader inventory.

A report this week by the Boston Consulting Group says online retailing in Canada and the United States reached $14.9 billion (U.S.) in sales last year. Online orders were up 200 per cent and the number of online shoppers was up 300 per cent. But despite this growth, online sales still make up only 50 cents of every $100 spent on retail purchases.

What will it take to get more people shopping with the click of a mouse? In a word, trust.

Online retailers have to assure customers they will keep personal data secure.

Privacy policies are useless if not backed up with strict controls.

MegaDepot offered a security guarantee and still ran into trouble. The company grew too fast, hired too many employees, and did too little training, founder Glen Ballman told me.

The problem developed when MegaDepot adopted a new feature - the ability to check your order on the Internet - and didn't consider the security problems it created.

A customer service representative inadvertently gave out the Internet link. The information flew by E-mail and wound up in my computer.

Experts I interviewed said there's only one way for online retailers to avoid such problems: They must be regularly audited and certified by an independent third party.

Web Trust is one such endorsement. Sponsored by the chartered accounting profession, it's awarded to online retailers who are taking the proper precautions.

In Canada, E-Trade and Bell Canada can use the Web Trust seal of approval. They must pass a test every 90 days or it will be snatched away.

As Web Trust and other certifications become better known, people will start to seek out and go to approved sites.

Late yesterday, I spoke again to Ballman at MegaDepot's headquarters in Seattle. He said the company had contacted the customers whose credit cards were exposed to public view. (While I and others had access to 20,000 Canadian customers' records, Ballman says only 78 people had a potential problem.)

"We were able to contain the breach and no one got hurt", he assured me. "I have no reports of any information being used illegally - and I've been fielding calls all day."

Shaken by the security lapse, Ballman called in outside help to do an "organized penetration" of the site and look for other loopholes.

"We've taken extraordinary steps over the last 24 hours to make sure this would never happen again", he said.

And, he promised, Web Trust is under active discussion.

MegaDepot is not alone. It's part of an infant industry that focuses more on technology than on training.

"In a way this was good for us", says Ballman. "We stopped everything else to look at what we were doing. We realize we weren't spending enough time on the human side."

Copyright © 1999 by The Toronto Star. All Rights Reserved. Reprinted with permission.