Spider Came a Crawlin'

April 30, 1997

"You mean my credit-card number is on the Internet?" Mike Donahue of the town of Lafayette State, Indiana, asks, rather surprised.

I thought he knew. After all, that's where I got his name, his phone number, and his Visa number.

Up until two weeks ago all anyone had to do to get info on Donahue's credit card-and the cards of at least 11 other people-was go to the Internet search engine Excite and type in "Holabird Sports," the name of a Baltimore sporting-goods store. Up popped what looked to be on-line order forms-credit-card numbers included.

Whoops! Somebody messed up. Big time.

When I called to get Donahue's reaction and that of others whose account numbers were on the Net, I was usually greeted with befuddlement. They wanted to know how the numbers they provided to a Web page in Maryland landed on a computer in California. The owner of Holabird Sports, David Hirshfeld, is at a loss too; in many ways he's also a victim, having angered his customers through no fault of his own.

A lesson everyone learned is how rapidly the Internet can turn local mistakes into global ones.

Nine months ago, Holabird Sports contracted Worldscape, a small local Web-presence provider headed by a former stockbroker named Morris Murray, to build and maintain a Web site. Holabird had been doing mail-order business for more than two decades, so it seemed natural to expand onto the Web. Hirshfeld didn't know much about the Internet, but with Worldscape handling the site, he wouldn't even need an Internet account. The on-line order forms filled out by customers would be automatically converted into faxes and sent to the sporting-goods store.

On April 3 one of Holabird's Web customers, Florida resident Barbara Gehring, received an E-mail from an Internet user in St. Louis informing her that her credit-card information was on-line. Those fax files had become accessible.

"I was horrified," Gehring tells me by phone. She called Holabird; on April 4, Murray removed the fax files as well as the entire Holabird Web site, then called the people whose account numbers and expiration dates were exposed. (Murray says he didn't phone those whose expiration dates were not exposed, such as Donahue and at least one other person I spoke with, because the lack of an expiration date would have kept scofflaws from illegally using the card numbers to make phone purchases.)

What had gone wrong? Worldscape set up its Web servers incorrectly. The contents of any computer hooked to the Internet can be partitioned into sections-some restricted for private use, some accessible to others on the Net. Worldscape's restricted areas-at least the one holding those Holabird fax files-were misconfigured, making them accessible to the public. Murray maintains the mistake occurred in mid-March when his system administrator incorrectly linked two of Worldscape's file servers together.

For a Web-presence provider, this is not a minor error. It's akin to a bank accidentally leaving its customers' money in the alley out back. But it was a little-traveled alley-the chance of someone stumbling across that information was pretty slim. Murray's real headache didn't begin until the records went onto Excite, a far more trafficked site.

How did this happen? Excite's chief selling point is that it updates its summaries of 50 million Web sites every three weeks, the better to catch changes at frequently updated sites such as on-line magazines. It would be impossible for even a horde of librarians to catalog all the changes, so Excite uses a program called a spider to automatically travel through the pages, copying the text on each one and shipping it to Excite for indexing. The spider found the Holabird customers' numbers and put them up on the Web. Murray repeatedly asked Excite to erase the numbers from its database, and the company repeatedly said it could not-thus they stayed in view for nearly three weeks.

According to Kris Carpenter, product manager at Mountain View, California-based Excite, all the information the search engine holds is linked. "The way the underlying algorithms [used to complete the Internet searches] are calculated is based on the entire collection of documents," she tells me by phone. "To pull even one throws off the calculation for the entire underlying collection."

Excite's is an unusual design, and I wonder if it's a wise one. As Murray says, "This thing is like a piece of stone that you can't take any one part from. . . . What if there is a big problem?They'll have to shut down the entire service."

In any event, the numbers disappeared from Excite by April 19, and Murray reports that none of the Holabird customers have informed him of any improper charges on their cards. So should we believe, as Murray tells me, that the mistake shouldn't be blown out of proportion? "The risk was very minimal," he says, likening the danger to that of a shopkeeper surreptitiously using a customer's credit-card number. But Murray is wrong. There is a major difference-the difference between a few people being privy to your credit-card information versus the entire world.
--Joab Jackson

[ The archive || [E-mail]