As many as 250,000 customers who used their credit cards at dozens of Napa Valley wineries this April had their financial information and personal data stolen by a cyber-thief. However, according to one attorney, no evidence of significant fraudulent use of the data has been found yet.
The intruder gained access to customer names, credit/debit card numbers, related billing addresses and any dates of birth from winery clients using eCellar Systems created by Missing Link Networks of Calistoga.
“Responding to this criminal act is our top priority,” said Paul Thienes, founder and CEO of Missing Link Networks, Inc.
Approximately 70 wineries throughout the Northern California wine region use eCellar to manage their inventory and purchases, in tasting rooms, with wine clubs and online. A complete list of those clients was not provided.
The thief did not have access to any driver’s license numbers, Social Security numbers, CVV verification numbers, or PIN numbers, Thienes wrote.
“We have identified and secured the method that was used to breach our platform,” he said. From now on, no payment card information will be stored by Missing Link.
The credit cards potentially impacted by this event appear to be those swiped or entered manually at the winery, entered online for purchases from winery websites and those retained for wine club shipments.
Credit and debit cards from all four major brands – Visa, MasterCard, American Express, and Discover – were affected. Each of these card companies has been notified of the breach and provided with information for the cards affected.
In addition to offering fraud and identity theft counseling to affected clients, Missing Link Networks also notified the U.S. Secret Service about the theft.
“The Secret Service Electronic Crimes Task Force is currently investigating a network intrusion involving Missing Link Networks,” said Charles Marino, acting special agent in charge of the Secret Service San Francisco field office.
That task force is charged with protecting financial payments systems and investigating suspected cyber breaches.
“The investigation began immediately following initial notification from the company to our office. Missing Link Networks has been extremely cooperative during this investigation and further comment [will not be] not provided due to the ongoing cyber investigation,” he said. Marino could not provide any further details.
According to the state Department of Justice, California customers of the following wineries were affected by the data breach:
— Summers Estate Wines,
— Spring Mountain Vineyard,
— Silverado Vineyards
— Signorello Estate
— Round Pond Estates
— Rhys Vineyards
— Repris Vineyards
— Pride Mountain Vineyards
— Palmaz Vineyards
— Outpost Vineyards
— Martinelli Winery
— Larkmead Vineyards Vintner and Grower
— Jessup Cellars (The Good Life Wine Collective)
— Heitz Wine Cellars
— Gemstone Vineyards
— Flora Springs Winery & Vineyards
— Charles Krug Winery (C. Mondavi & Family)
— Corison Winery
— Cain Vineyard and Winery
— Peter Michael Winery
— Rombauer Vineyards, Inc.,
— Turley Wine Cellars
— Clif Bar Family Winery & Farm.
Wineries with customers in other states are required to notify those customers as well.
Representatives from a number of wineries that were contacted about the cyber-theft either declined to comment or did not return phone calls about the breach. Thienes could not be immediately reached for comment.
Robert Cattanach of the Dorsey Law Firm in Minneapolis primarily works in the areas of data privacy, cyber security and breach response. He is representing a number of the wineries affected by the breach.
Cattanach declined to name them or say how many of the 70 Missing Link Networks clients he represents but that those wineries probably account for 100,000 of the 250,000 people affected.
Part of his work includes “making sure that the threat factor was closed, said Cattanach. “We received assurances it had been.” However, “There is work that needs to be done to validate the system is secure.”
The good news is that “wineries are not getting deluged with calls,” from frantic customers, he said. Many customers “were quite sympathetic. The vast majority have personal relationships with winery and they feel bad,” for the business.
The attorney said it was too soon to tell how much this breach would cost each winery.
“Will it cost them thousands of dollars? Yes. Will it cost them hundreds of thousands of dollars? It should not.” He said he will know more in the coming months.
Today, “We are in very regular communication with vendor to make sure their system is secure.” In addition, “There may or may not be some insurance involved on behalf of the wineries and vendor.”
Cattanach would not speculate about any possibility of future litigation.
“When the extent of the loss is made clear, you look at your options about possibly getting compensated for the loss.”
The attorney said there is one thing he can be sure about. “In this world, there are people that have been breached and people that don’t know they’ve been breached. Everybody has been infiltrated to some extent.”
“It’s sad for eCellar and for their clients,” said Rob McMillan, founder of the Silicon Valley Bank wine division in St. Helena. “But it’s a wake-up call that everyone should take note of.”
“It’s a bit of a train wreck,” said McMillan. “The thieves continue to get better. It’s not necessarily teenagers doing something for fun, it’s people with more nefarious reasons for wanting this information,” he said.
McMillan said that Silicon Valley Bank was not impacted by the theft but some of its clients were. Before this, McMillan said he was naïve about the consequences of such a theft. Not anymore.
“The amount of time that this will take to fix is millions of dollars,” he said.
Each winery affected has to notify all customers of the breach, hire attorneys and pay for free credit reporting for their customers. Each credit card has different rules you have to follow following such a breach, he said.
This can take valuable time away from running their businesses, many of which are family run or small business operations. “You’re not making money while you do that,” he said. Plus, “You’re spending all your time on damage control with your brand,” McMillan said.
“These are people in your wine clubs, people you have a personal relationship with, people you are trying to sell expensive wines to. Your most important clients. Now you are having to apologize for getting hacked.”
His advice for other wineries and businesses is to make an incident plan and create an incident response team in advance. Include public relations and other law enforcement contacts.
“Be educated. Know what data could be taken, so when that happens you’re not having to start from scratch. You can get though and back to business as soon as possible,” McMillan said.
And don’t pretend it won’t happen to you, he said. “With the number of breaches out there, you can’t do that. You’ve got to secure your information or it could put you out of business.”
Get local news delivered to your inbox!
Subscribe to our Daily Headlines newsletter.