Dear Artist's Club customer,
We regret to inform you of a recent security breach at Artist's Club—a troubling event that has caused inconvenience and concern for some of our customers, as well as our staff.
As a result of a vulnerability in a widely-used commercial website server software, between the dates of December 21, 2012 and January 25, 2013, a file containing some private information used on the Artist's Club and related Crafts Americana Group websites was potentially accessible to unknown outsiders without authorization. As soon as the file was discovered, we implemented increased security measures and began working closely with law enforcement and the affected credit card companies to investigate the incident. Once we were reasonably sure of what had happened, we immediately informed the people that may have been affected by this incident.
Some of you are upset, disappointed, or confused, and we wholeheartedly apologize. Please know that we share these emotions with you. As with any theft, there’s the troubling feeling that even the most dedicated diligence is sometimes not enough. On every level, we work hard to ensure that your information is secure and that we are not only meeting, but exceeding the security standards required for online businesses.
The unfortunate truth is that breaches in data security are a widespread problem—and something that seems to affect all of us at some point, regardless of the strict security measures we insist upon. Many companies, both large and small, have been affected by the same flaw in the software that we relied on and other unforeseeable software flaws.
Still, that doesn’t prevent us from being extremely sorry about the inconvenience that this has caused some of you.
Please understand that we would never be idly silent on an issue as vital as your financial information. On the contrary, you deserve transparency—but also understand that it’s equally essential that we approach you with all the correct facts and not an empty, rushing alarm. As the investigation continues to develop, we’ve reached a point where we can wholly and accurately state the following:
The exploited file that we first discovered on our internet servers on January 25, 2013 contained information that included names, addresses, and credit card numbers of some, but not all, customers who had made a purchase on Artist's Club or other Crafts Americana websites in late 2012 and early 2013; it did not contain information on customers who purchased from us solely through other means, such as phone or fax. The file was created through an exploitation of a flaw in the website server software; similar problems appear to have affected many other companies that use the same software.
As soon as the breach was discovered, we immediately made changes to fix the exploited server software and took the following steps:
- Notified and worked with law enforcement.
- Notified the credit card companies, via our payment processor, so that they could monitor activity on their end for anyone that may have used a card on our sites.
- Hired an outside firm to conduct an investigation and an audit of our systems.
Once we were to a point where we were sure about who was affected, we sent letters to all U.S. and Canada residents whose information was in the file that we discovered, and also informed several state regulators about the incident. The letters were sent on February 8th, so if your address is in the U.S. or Canada, and you have not received a letter within the next few days, your information was likely not in the file that was potentially accessed.
As an added precaution, your credit card provider may choose to reissue you a new card, regardless of when you shopped at one of our sites. Additional information on dealing with an incident like this is included in the letters we sent out, such as how to obtain free copies of your credit reports and the importance of monitoring your credit card statements. In the majority of cases, those of you affected should not be responsible for any fraudulent charges or fees to reissue cards. If you do have out-of-pocket costs, please contact us.
The security of our systems is extremely important to us, and we never want breaches like this to occur. We now believe we have solved all known issues with our systems and continue to pass PCI (Payment Card Industry) compliance testing. For those looking for alternative payment methods, we also offer PayPal on our sites.
If you still have any related questions, please email us at firstname.lastname@example.org; in directing your concerns this way, we’ll be better able to respond in the thorough and timely fashion you deserve.
We feel privileged to be part of such a wonderful and dynamic crafting community, always priding ourselves on excellent customer service and first-rate security standards. Please rest assured: Through this difficulty, we are now even stronger and better able to serve our customers. Thank you, to each and every one of you for standing with us during this trying time.
Sincerely and on behalf of everyone at Crafts Americana Group,