Canadian online pharmacy PlanetDrugsDirect.com has contacted customers warning them that their data might have been exposed in what they euphemistically describe as a “data security incident”.

In an email seen by Bleeping Computer, the website warned that exposed personal data could include the following:

  • Customer names
  • Postal addresses
  • Email addresses
  • Phone numbers
  • Medical information (including prescriptions)
  • Payment information

The email is, unfortunately, somewhat lacking in detail – meaning that concerned customers may have to contact PlanetDrugsDirect via email or telephone to ask questions such as:

  • What was the nature of the security breach?
  • How did you find out about the security breach?
  • When was the security breach first detected?
  • How many customers are affected?
  • Have you informed law enforcement agencies?
  • If an unauthorised individual or malicious hacker had access to the data, how long did they have access to the data?
  • When you say “payment information” was exposed, I presume you mean payment card details? Could the security breach have exposed full or partial credit card details? What about expiry dates and CVV codes?

It’s not necessarily the case that PlanetDrugsDirect knows the answer to all of these questions. For instance, the security breach may only have come to light after the website’s customer data was found posted online, meaning that the company knows that it has suffered a security breach but not necessarily how or when.

However, some of the questions definitely could be answered – and it’s disappointing that the online pharmacy has not yet been more forthcoming with details of what has occurred, considering the sensitive nature of the data which could be at stake.

I also feel irked that the website itself appears to make no mention of the “recent data security incident”, which would be an effective way to warn more users.

PlanetDrugsDirect (Read more...)