Vanguard records compromised

[cferron]

Just another reason to love doing business with Vanguard...

I placed a small order online on Saturday.  Yesterday I got an e-mail from someone purporting to be with Vanguard showing the order number and my complete credit card number and asking for more information to protect me from "fraudulent transactions." 

They wanted the frontside and backside of the credit card; a photo ID card such as driver's license or passport number and a recent bank statement or utility bill.  It was from order@vanguardmil.net and signed by Steven K in the order processing department.

Since this just screamed "phishing" I didn't reply and called and talked to Eva in the East Coast Vanguardfacility this morning.  She confirmed there had been "an incident" and told me not to reply to the e-mail.

I'm contacting my cardholder to put a watch on the account, but be sure to look out for this one.  So much for secured transactions...I wonder where the breach was and how many records have been compromised?

[Tubacap]

Anyone know who to contact at NHQ to notify them that this happened?

[desertengineer1]

Great.  Just what we all need.  

Getting a little tired of new credit cards due to mismanaged databases.

[NC Hokie]

It would appear that Vanguard's online order processing system has been compromised.

I placed an order with Vanguard over the weekend and almost immediately received an e-mail requesting verification of my payment info.  The message was suspicious, so I called Vanguard this morning to ask about it.  They confirmed that the message I received was a scam and suggested that I closely track my credit card account for fradulent activity over the next few weeks.

The e-mail included my order number and asked that I send a copy of my credit card and ID to verify my identity.  The fact that I didn't do so SHOULD keep me safe, but the scammer WAS able to get my order number and e-mail address, so there's no telling what else he might have.  I'm also a bit concerned by the fact that the receptionist who answered my call immediately asked if I was a Civil Air Patrol member when I mentioned that I was calling with a question about my order.

In any case, I'd suggest that anyone ordering from Vanguard do their business over the phone as much as possible.  I also suggest that anyone who has done business with them in the recent past closely monitor their payment account for suspicious activity.

[MIKE]

Merged.

[Major Carrales]

I had my credit card "jacked" earlier this year.  I got an e-mail from my Credit Card Company and when I called the number on the back of the card they showed me for purchases in Australia and other parts of the world of which I had no contact.

I had to get a new credit card.  Ironically, I only use my credit card (i'm more of a "cash man") for emergencies and, again ironically, ordering from Vangaurd.

After that, I now send in all my orders via snail mail (no matter how long it takes...normally a week).  I just "pretend" I'm gonna check out, print the screen and send the order with a money order from the USPS.

I am not pleased if the allegation in this post is true.  Not pleased on bit!

[mikeylikey]

Ya....Vanguard sucks.  Don't do business with them.  This is the reason we need NHQ to break their contract with them, and allow any vendor to produce CAP uniform items.  If NHQ doesn't do that, then they SUCK and are only out to screw you and me over (the volunteer).  By continuing to do business with them, CAP says "we don't care about our members, watch them get screwed over".

Oh man.......I really hate Vanguard.   

[dbaran]

Vanguard just confirmed it to me (I'd ordered for the first time in 2 years, got one of their emails, and nearly blew a gasket over the fact that it had my entire credit card number in it!).  Looking at the phishing email, it was sent through Google.  The person at Vanguard said that their web site was completely copied (their words - not mine).  It even had my order history from 2 years ago!    And my order was in their system.  So I am NOT buying the "we got copied" argument.  You can copy a web site, but when an outsider manages to copy the back-end database and insert himself into the order processing chain ... you have some serious IT security issues to address.

20 minutes on the phone with the credit card company to make sure it was cancelled...grr..now I get to call each of the credit bureaus and get a fraud block placed again....

[Major Carrales]

 The person at Vanguard said that their web site was completely copied (their words - not mine).  It even had my order history from 2 years ago!

Fortunately, the Credit Card account I had when I last made an order with them that way has been suspended in favor of another Credit Card number. 

This is quite serious, but it is what happens when we place too much faith in automation.  I have never understood how people could keep a system with such sensative info even on the same physical hardware as the internet.

WOW, I'm glad I've been sending the orders via the post.

[♠SARKID♠]

And now they have a banner at the top of the home page.

In order to avoid exposure to pharming please verify if you are at vanguardmil.com.

Vanguard will NOT send you e-mails requesting personal information.
Please contact us at (800) 433-1334 if you have any question or concern.

I think this calls for me to open a credit card account and do my online business on it, rather than my current process.

[Pylon]

Are they going to issue a statement about what happened, how it was not prevented, and what Vanguard will be changing to prevent this in the future?

[Ned]

Ya....Vanguard sucks.  Don't do business with them.  This is the reason we need NHQ to break their contract with them, and allow any vendor to produce CAP uniform items.  If NHQ doesn't do that, then they SUCK and are only out to screw you and me over (the volunteer).  By continuing to do business with them, CAP says "we don't care about our members, watch them get screwed over".

Oh man.......I really hate Vanguard.   

Another calm, reasoned opinion.   




Guys,

It looks like Vanguard got hacked.  They are victims of a crime, and now someone is trying to make some of us victims as well.

Undoubtedly they will be reviewing their security procedures and will make changes.

But it is worth remembering that every single business on the net could have "better security."  Heck, even Uncle Sam gets hacked with some regularity.  I seem to recall getting a note from the VA saying they had lost some of my information about a year ago.

And it was not the hardworking professionals at NHQ who made the decision to contract with Vanguard.  It was our volunteer leaders on the NB.

Who made the best possible decision at the time.  A decision which has immensely benefited the membership as a whole while returning much-needed training money to serve our members.

Let's give the authorities and Vanguard a reasonable amount of time to conduct an investigation to see what actually happened before screaming for blood and public explanations, shall we?

And in the meantime, take prudent precautions concerning your credit information.

Ned Lee
NHQ Apologist

[Tubacap]

^Concur!

[NC Hokie]

FYI the Vanguard website is STILL hacked...go to www.vanguardmil.com and hover your mouse (DO NOT CLICK!!!!) over the Log In link in the upper right corner.  When you do so, you'll see that the link points to another website.  The rep I spoke with found this to be very interesting and said that he would pass the info along to their IT department as well as the FBI.

From what I can tell (and I may be wrong here, but I think I'm pretty close), the hacker got into the Vanguard server and changed any Log In links to point to his site, processed the orders while copying our info, and passed the orders along to the real Vanguard server for fulfillment and billing.

[♠SARKID♠]

FYI the Vanguard website is STILL hacked...go to www.vanguardmil.com and hover your mouse (DO NOT CLICK!!!!) over the Log In link in the upper right corner.  When you do so, you'll see that the link points to another website.  The rep I spoke with found this to be very interesting and said that he would pass the info along to their IT department as well as the FBI.

And they're trying cover themselves by using https.  Good luck with that when the FBI starts its search...

[Major Carrales]

I am not pleased, but I must concur with the objective stance on this matter proposed by NED.  It is obvious that any US service man that attempted to order from Vanguard was also thusly effected. 

I hope the criminal is caught and dealt with in a fitting manner.

[rjacobs]

The login prompt pointing to a toad.he.net URL isn't part of the hack.  Vanguard uses Hurricane Electric for their site hosting and this is part of their online store setup.  Even so, they could have designed their site better to reduce confusion.

Checking their DNS records (vanguardmil.com) show they use Hurricane Electric for their name servers, and an ARIN search shows their IP address is in the netblock owned by HE.  It doesn't look like any DNS hijacking is going on.

vanguarmil.net is using a dynamic DNS service (afraid.org) for its DNS.  It looks like Vanguard has altered their site to recapture the framed content from the .net site and has put up a short message about verifying the site when this happens.  This started about the same time I started researching all of this.

So, while the login prompt doesn't indicate that they are still hacked, I wouldn't be ordering anything from them while they are still actively working to fix the problems.

[Major Carrales]

I have considered using one of those "load me up" credit cards for such transactions.  In anycase, I will likely never use a credit card for it, so long as they accept mail in orders.

[shorning]

I hope the criminal is caught and dealt with in a fitting manner.

Like making them order from Vanguard?

[Major Carrales]

I hope the criminal is caught and dealt with in a fitting manner.

Like making them order from Vanguard?

I don't know, does Vangaurd sell striped black and white jumpsuits?