If you are one of the customer of Hobby Search, it is indeed disturbing to read such e-mail. When dealing with online payment and credit card information - security is a major concern for the customer, the online retailer and the credit card issuer.
There are too many fraud cases happening all the time and this make certain bank like HSBC for example, being super careful with their customers credit card transactions especially those related to the internet or online purchase/transactions.
It is the responsibility of the customer to be careful when doing internet/online transactions but it is also the responsibility of those online retailers/service providers to safeguard their database from any unwanted situation. Trust is the key. If the customer trust them with their credit card details, they must protect and safeguard those trust accordingly. Nonetheless, sometimes, one can be extra careful and do all that they could and yet shit happen.... sigh!!!
Below is the e-mail from Hobby Search, they also post this information in the front page of their online shop;
To Hobby Search customers:
We are writing to let you know of a hacker or hackers that
penetrated our computer system and accessed customer data including
credit card information.
At the time of writing, we do not know of any of this information
being available publicly. It is important to us that you, the
customer, do not experience any monetary damages because of this
incident, and have provided the information of all the cards that
may have been involved in this incident to each of the credit card
companies so that they may monitor the activity on these cards.
If you have any concerns about the security of your card, please
contact the card company (via the number on the back of your credit
Also, although we have switched to a more secure credit card
transaction system that only stores the last four digits of your
card on our databases on July 7, 2010, we have disabled credit card
The credit cards involved in this incident are those used in orders
prior to July 7, 2010 (a maximum of 23,526 cards), and we are
notifying those affected with this email.
- Credit card numbers, expiration dates, cardholder names
We do not store personal verification passwords or security codes on
our databases, so these have not been accessed.
Again, we have switched to a more secure credit transaction system
on July 7 that only stored the last four digits of those cards and
cannot be abused by a third party.
We are deeply sorry for any inconvenience or concern that this
incident may have caused.
October 6 - A system administrator found traces of attacks from
Korea and began investigating immediately. That night, we contacted
an external security firm to investigate.
October 7 - The external examiners began investigations in the
morning. We shut off our systems for emergency maintenance,
reinstalled all server operating systems and software, re-examined
security settings, and isolated the server.
Logs indicated that customer data had been sent out from our server
to the address of an institution in Korea.
We contacted that institution by phone and email about this incident
and confirmed that the data had been deleted. We believe that they
were used as a proxy.
October 8 - We revised program, network, firewall, and client
machine security and implemented an intrusion detection system.
October 12 - We contacted the credit card transaction handler and
began discussions about the course of action.
October 20 - The external investigators concluded their
investigations and determined which and how much data had been
October 28 - With the results of the investigation and cooperation
of credit card companies, we are ready to handle customer
correspondence and have sent out email notifications to the
customers that may have been affected.
The attackers took advantage of a security hole in our computer
We have not determined who they are, but have found the attacks to
be originating from an educational institution in Korea. We have
contacted this institution and requested they determine who the
attackers are and that they secure the data stolen.
We deeply regret that this incident has occured, and are
continuously examining the security of our systems. We believe that
the root of this problem was the lack of security awareness among
each and every employee and are making sure this should not happen
We will work hard to maintain your confidence in Hobby Search and
hope to see your continued patronage.
Hobby Search Co, Ltd.
Telephone: 81-3-5833-3533 (International)
Fax: 81-3-5833-3534 (International)
Hours: 10AM-9PM (10AM-6PM on weekends and holidays) 10/28 - 11/07
10AM-12PM, 1PM-6PM Mon-Sat except on weeks 2 and 3 of the month
Shit happen and now not only Hobby Search have to do lots of thing to fix this problem and also to prevent them from happening again in the future, in addition, the customer of Hobby Search also need to be cautious and monitor their credit card transaction carefully to see if there is any suspicious transaction suddenly appear in their transaction list.
As a customer concerned, you have every right to be worried and this will certainly affect your trust towards the particular online hobby shop. Some will say "I will blacklist this shop forever" - some will say "Let's just hope that nothing bad happen out of this" - either way, if you are one of those customer concerned, it is up to you to decide but the most important part is to always be careful when dealing with online/internet transaction.
I hope that the other online retailers - especially those online hobby and toys retailers from Japan will take note on this security concern accordingly and take precautionary measures to safeguards their database.