It has now been about a week since GPZ's site was offline from an unexplained outage where the site was down and customers received mysterious emails from fake addresses as well as a competitor. GPZ is now back online, but I contacted them to find out what happened and whether or not any of their other customer data was compromised. Here is what they had to say.
pogue: Can you comment on what caused the recent outage? Was there a hacker or a raid of some type?
GPZ: We were hacked. Our web store, e-mail addy's and domains were all temporarily out of our control. There were also some events that happened at the exact same time on a local level that give this situation a local connection. We are working on gaining proof.
They defaced the web site, so we had no choice other than to shut the store down until we could gain control of everything.
pogue: Can you discuss the emails that were sent to customers from phoney addresses? Was any customer data compromised during the outage?
GPZ: The e-mail addresses were obviously taken from out store database and used for the phoney DEA.COM e-mails that were sent out. Also, many people have reported to us that a certain competitor of ours has sent unsolicited e-mails to our customers. Supposively a "friend" referred them to this company. Many people are very suspicious about this "referral" e-mail.
As for any other information, it doesn't seem to have been stolen, but we have let people know if they are concerned about the credit card info, they should notified the respective company(s).
pogue: Do you have any idea who (if anyone) might be responsible for the outage and emails that were sent to your customers?
GPZ: Again, we are working on it. The truth will come to light, but it takes a little time.
pogue: If there is anything else you would like to mention, about GPZ, the outage, and your current service, I would appreciate it.
GPZ: We are back up and in control of everything. We have done everything in our power to make sure all of our systems are secured and we have been in contact with IT security people as well.
All orders from last week have been sent out and we are back to getting everything that comes in before 4:30 PM (EST) out the same day.
Please let everyone know we appreciate their patience and understanding, it's been tough for us all.
UPDATE: GPZ Int'l responded to an inquiry by sikboy on the bb forums asking whether or not their site was hacked.
The only hacking that GPZ Canada was affected by was the DNS address that
linked gpzcanada.com to the online store. GPZ Canada was not affected in any
other way. In addition to that, all of our customer's credit card
information is encrypted on the Worldpay.com server under military-grade
encryption so your information is as safe as it gets.
So, it seems a possibly that customer data might have been stolen, although there appears to be no evidence of that. However, if you had a credit card on file with GPZ you might want to watch it for strange charges. If you are concerned that it might have been used please contact your bank and credit card company immediately to stop false charges. Under current U.S. law you are only liable for the first $50 of a false charge. However, the more serious concern would be identity theft. You can also request free copies of your credit report once a year from each of the 3 credit bureaus from AnnualCreditReport.com, which you may want to do if you haven't already.
Again, since we are not completely sure how or what data was accessed customers should be vigilant in watching their credit cards for strange activity just as a precaution.
We are also still uncertain who sent the original phoney emails from the DEA/FDA. If anyone still has copies of them intact, please send them to me with the full headers intact and I will try and determine who sent them.
Thanks very much to getpinz.com for the interviewing and disclosing this information. I will keep you posted of information as I learn about it.