Hello Everyone. I have been ripped off so many times it's absurd. I've been followed home and cornered in my driveway, I've had my house burgled four times, cars broken into. It's eerie when you know someone's been there when you weren't, worse of course when you are there--oh my. Lots of damge many times over. It would be really nice and tremendously cathartic to find some accountability a face to pummel and punish for all the destruction and lost trust etc.

 

However Alan and GSA in this case are also victims. GSA has never been nothing (sic) but a tremendous source of fabulous products, information and goodness. They are not the nasty bad guys. Sure sure no I get it--many of you have been ripped off and it's awful and you feel vulnerable and slightly terrorized but Alan has his whole livlihood on the line here. In this economy it's too much to hold him, a fellow innocent, an honorable businessman accountable for the badness/cruelty of the thieves.

 

Don't let the theives take any more hostages. Sure, we'd all love some justice. Alan is also being ripped off--he is actually being ripped off more.

 

Don't let the bad guys take hostages. Especially someone's business.

A

I assume you also plan on notifying all customers who have placed credit card orders while you were compromised to inform them they are at risk? Or is the burden on impacted customers to find this thread and contact you on their own?

If only it was that easy, Jason.

 

 

http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

 

Security-Breach Costs Climb 7% to $7.2 Million per Incident

By Kelly Riddell - Mar 8, 2011

 

...About 85 percent of all U.S. companies have experienced one or more data breaches, Ponemon said, and the figure may be larger because many don’t have the ability to detect when information has been exposed....

Costs of data breaches are increasing as more states pass laws requiring companies to disclose whenever customers’personal information is exposed, Ponemon said. So far, 46 U.S. states have passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply.

Patchwork of Laws

“The patchwork state laws drive up significantly the cost of incident response for national corporations because the reporting requirements and data sets are different for each state,” said Eric Friedberg, a co-president at Stroz Friedberg LLC, which does forensic analysis of data breaches. “When you have to report to several state attorneys generals on the forensics side, it becomes way more complex than if there were one standard.”

The U.S. government has yet to adopt guidelines for companies to follow in the event data is exposed....

 

Most Not Publicized...

Most corporate data breaches are not publicized to avoid alarming customers. Ponemon based its study, titled “2010 U.S. Cost of a Data Breach,” on interviews with executives from 51 U.S. companies that publicly acknowledged a breach of sensitive customer data last year and were willing to talk about it.... 

 

http://www.bloomberg.com/news/print/2011-03-08/security-breach-costs-climb-7-to-7-2-million-per-incident.html

I have also been a victim of CC Fraud. I notified my CC company and filled out the form for fraud investigation...at that time however I was not sure about it being because of Global Sugar Art. I mail the form and in a hour I discovered this thread. I contacted my CC company later to notify them.

I also tried to delete my account on the Global Sugar Art website and couldnt do so. When I contacted them, I was told the account can never be deleted. I dont think I want my information to be still present there but apparently I cannot delete it.

Alan you havent yet answered anyones question or comments as to why you havent notified any customers or why you continue to allow people to purchase online when your website isnt secure?

 

I think I can speak for a few other cake central members when I ask you to please answer...

A

It is not technically difficult to compile a list of customers who have ordered between specific dates, and GSA has already demonstrated that they are willing to admit to being compromised here, so I'm not sure why they aren't taking that extra step of notifying customers.

I hadn't even thought of the mandatory reporting laws for security breaches, since GSA is based in NY they may be required by law to tell their customers: http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAWS+&QUERYDATA=$$GBS899-AA$$@TXGBS0899-AA+&LIST=SEA3+&BROWSER=BROWSER+&TOKEN=41381912+&TARGET=VIEW

tracyaem....I agree!!! GSA is a wonderful website with great products, great prices and great shipping...no one is denying that fact!! I 100% agree that the way this was handled was WRONG! They are allowing people to still purchase and with that allowing their personal information to be hacked! This couldve been taken care of by putting a simple statement on their website during checkout with a background of whats going on, and give people a secure option on how to buy. Then they wouldnt have lost so many customers! I do believe had they done that, more people would be forgiving and stick with GSA!

 

I have actually taken all of the information I have, down to my local police station. Im not sure what can be done, but Im sure the way they handled this is wrong.

AFYI, I just went through the checkout process at GSA as a test and you are now sent to the Paypal site to enter your billing information, so your credit card number is no longer stored anywhere on the GSA servers if you place an order now.

Your account email address and password are still stored on the GSA servers though, so if you used the same password on GSA anywhere else you will want to change that password ASAP.

I was notified by my credit card company on Friday of a charge for $1399 to Dell. Two other "testing" charges, $1 from Dell and $9 from Zappos. I reported them as fraud to my credit card company. Now I have "Dell" calling my house multiple times (caller ID) and left 2 messages during the day while I am at work, when I call the number back, I am put on hold.  This happened two months ago on the same credit card account, first a "tester" charge for $15, then a $1304.99 charge to Costco.  This is my main credit card account because I love the rewards it provides so I was not able to figure out where the breach in security came from.  It seems a little more than coincidental and to think this may go back to September.

This morning I received a GSA email about what is on sale and saw a note about server and security issues.  I had placed orders with GSA before both of these fraud incidents. I agree its not right for them to not notify customers who have already placed orders of the security issues so they can keep an eye on their accounts. Had I known GSA was having security issues (I recently placed orders on 11/16 & 11/26), I still would have placed my orders, just would have used a temporary card. That would have saved me from the position I am in now - the second time around.

Please, cake-buddies, take a deep breath---the ill will here needs to be directed at the THIEVES.

GSA does NOT deserve to be maligned. They are now being robbed of thier GOOD NAME (and by CC? Really?)

 

He fixed it over and over.

Your credit card companies resolved those issues for you. Yes it's a nasty thing to have to go through but don't compound it for the unfortunate merchant.

Where will Alan go to restore his reputation you all are carelessly tossing about.

 

Besides, how would GSA know who got dinged?

They fixed it three times.

Notification laws are screwy and different in each of the 46 states that have laws.

 

You are putting his face on the punching bag and having at it when it was someone else that did this evil thing.

I don't care if you don't believe it--that's what the man we've known for over 10 years said.

He's been nothing but an honorable and generous businessman deserving of a break and our heartfelt sympathy not to mention some serious apologies.

 

 

Merry Christmas

I have personally spoken with Alan from Global Sugar Art and they are handling this situation.  If you were an affected customer, you will receive a notification from a GSA representative, but not through cakecentral.com

 

As for any of the other advice in this thread, unless it came directly from a GSA representative, or cakecentral admin, I recommend that information be disregarded, as it did not come from an official source and can only be classified as here-say.

 

I have every confidence in the Global Sugar Art team, that they are working around the clock to protect customer's sensitive data. They are currently still open and taking orders, however they are only accepting paypal until the security team has updated any possible breaches with other payment methods.

 

I remain steadfast in my support of Global Sugar Art, they have always been, and will continue to be an excellent company to do business with, as they serve cake community with respect and a high standard of customer service.

 

I will post any official updates for you as they come in.

I agree in part but seriously, in 2012 or even 2010 for that matter it isn't enough to be an honourable gentleman, it is not only naive but also very irresponsible to be running a Company that doesn't think of security of their website ALL THE TIME. 

Yes, he probably was just living in a little bubble thinking.... oh it won't happen to us..... but YES - it does, on a daily basis - it also HAS happened to GSA on more than 1 occasion and it appears they don't have the resources/inclination to do what is required to prevent if happening again. (3 times already!)

 

It IS a companies responsibility to be constantly on guard for this - NOT just fixing the breeches as they occur.  They should have been upgrading their system all the time - as new technology appears, theives get smarter, so in turn the companies NEED to upgrade to a more secure system over and over again.

 

This isn't a one off fix - it is an on-going thing

 

I don't want to see anybody's business damaged - but seriously there IS only one place where the blame lays - granted for the most part it wasn't intentional - but to sit back and be complacent and then get upset with the people that brought this SERIOUS breech of security to the public arena is truly mis-placed blame.

 

To suggest that ..... "your CC companies resolved the isses"  so leave him alone - is unbelievable  - this may be an easy fix for some but not only is it extremely inconvenient - it isn't always 'painless'   - the onus IS on the merchant to provide a safe shopping site ..... or do not enter into the online shopping arena!!

 

The best thing that can happen is that they truly learn from this experience - invest in an ONGOING secure system - much the same as any good bank, people WILL only continue to use a system that they can have complete faith in ............. and THAT is going to be the task now

 

To RE-BUILD that trust - that was so shamefully ignored before.

ACCEPT that what has happened WAS their fault
APOLOGISE to their customers

VOW to do whatever is necessary to provide secure shopping

This will go a long way in restoring the reputation that he values so much

 

To try and sweep all of this under the carpet as a "what are you all whinging about"....... will only serve to make people angrier !!

I have had 2 different bank accounts hit several times this year, Thousands have been taken.  The last 2 times (2 different banks) I have given the fraud dept GSA's details as I have been hit every time after I have used GSA!!!

AProactively notifying customers is a good step toward repairing GSA's tarnished reputation, I'm just surprised this was announced by someone at CC instead of someone at GSA.

Besides, how would GSA know who got dinged?

Anyone who placed a credit card order between when they were initially hacked and when they switched to PayPal is at risk, the right thing to do would have been sending an email to all these customers telling them about the security breach.

This thread is a good case study for crisis management. When there is a crisis at your business, the best thing to do is get out in front of the crisis and proactively notify your customers as soon as possible. As we've seen here, if you delay telling people or try to sweep it under the rug it will probably come out on its own anyway, and when it does it will be far more damaging to your reputation.

I don't remember what company it was, but one that I have an account with had their servers compromised in by hackers. They knew that there was a risk of some clients having their informaiton taken, so they emailed all of those customers and gave us the option of being enrolled in one of the credit monitoring services for the following year. I'm not saying that GSA should have done that, but it's a good example of being proactive.

 

There have been enough cake decorating supply companies who seem to have this problem in the last two years that you would think they'd have made some adjustments instead of waiting around to do something. CK has the same issue, and someone I know spoke to them at the ICES convention about it. They were fully aware that it was going on but hadn't done anything to warn people or stop taking payments. This was at least 6 months after a different person I know had called them about it and gotten a mumbled "well okay we'll look into it" kind of reply.

 

I ordered from GSA recently but used the paypal option exactly because of this problem. My credit card number was stolen three times in the last two years, and each time was after ordering from one of those two companies. When I definitely figured out the connection I stopped ordering from them, and I haven't had any problems since. It's definitely not a small thing to have your credit hijacked, so to know that a company is being blase about it is irritating.