To all SEDC Customers:
SEDC is aware of all the facts and timelines regarding the subject of the Ars Technica story. We have taken steps to address the situation.
In terms of SEDC’s approach in dealing with this issue, SEDC refrained from speaking in detail about confidential elements of SEDC’s database and software with an unknown 3rd party as doing so could have potentially compromised our customers’ systems.
- There are No Violations
- The plain text password in question is not a violation of PCI-DSS (Payment Card Industry Data Security Standard) compliance.
- This was confirmed with SEDC’s independent PCI Assessor.
- SEDC is not in violation of any PCI-DSS requirements.
- There was No Breach
- There was no breach of any consumer’s data.
- We are Making It Better
- We notified all of our utilities in December of the software fix (Version 37 Service Pack 5””Enhanced Customer Portal Security Feature) which created an expiring password reset link and it is already deployed to all customers. With this fix, the “forgot password” process creates an expiring change password link that requires the consumer to confirm their identity. This security enhancement removes the option of emailing an existing password to the consumer.
- Phase 2 of the fix (salting and hashing of the passwords) will be included in Version 37 Service Pack 6 which is currently in beta. These fixes apply to UPN in all versions.
SEDC leverages Oracle Advanced Security product to encrypt the entire database using Transparent Data Encryption. Oracle Advanced Security is and has been for quite some time available to all SEDC customers as part of SEDC’s offerings.
On behalf of all the management and employees of SEDC, we sincerely apologize for any disruption that the Ars Technica article may have caused your organization. SEDC is committed to deliver continuous improvement working side by side with our customers.