Dear Knit Picks customer,
With a heavy heart, we regret to inform you of a recent security breach at Knit Picks—a troubling event that has caused inconvenience and concern for not just some of our beloved customers, but also ourselves, our friends and our family.
As a result of a vulnerability in a widely-used commercial website server software, between the dates of December 21, 2012 and January 25, 2013, a file containing some private information used on the Knit Picks and related Crafts Americana websites was potentially accessible to unknown outsiders without authorization. As soon as the file was discovered, we immediately implemented increased security measures and began working closely with law enforcement and the affected credit card companies to investigate the incident. Once we were reasonably sure of what had happened, we informed the people that may have been affected by this incident.
For this, many of you are angry with us—we know, because no message or email or posting has gone unread. Some of you are angry, disappointed, or confused; know that we share many of those emotions with you. As with any theft, there’s the troubling feeling that even the most dedicated diligence is sometimes not enough.
Please understand that we would never be idly silent on an issue as vital as your financial information. On the contrary, you deserve transparency—but it’s equally essential that we approach you with all the correct facts and not an empty, rushing alarm. As the investigation continues to develop, we’ve reached a point where we can wholly and accurately state the following:
The exploited file that we first discovered on our internet servers on January 25, 2013 contained information that included names, addresses, and credit card numbers of some, but not all, customers who had made a purchase on Knit Picks or other Crafts Americana websites in late 2012 and early 2013; it did not contain information on customers who purchased from us only through other means, such as phone or fax. The file was created through an exploitation of a flaw in our website server software; similar problems appear to have affected many other companies that use the same software.
As soon as the breach was discovered, we immediately made changes to fix the exploited server software and took the following steps:
- Notified and worked with law enforcement.
- Notified the credit card companies, via our payment processor, so that they could monitor activity on their end for anyone that may have used a card on our sites.
- Hired an outside firm to conduct an investigation and an audit of our systems.
In addition, on February 8, we sent letters to all U.S. residents whose information was in the file that we discovered, and also informed several state regulators about the incident. We sent the letters as soon as we were reasonably sure about who should receive them, mailed via the addresses we had on file. If your address is in the U.S. and you have not received a letter within the next few days, your information was likely not in the file that was potentially accessed.
Out of an abundance of caution, however, your credit card provider may choose to reissue you a new card, regardless of when you shopped at one of our sites. Additional information on dealing with an incident like this is included in the letters we sent out, such as how to obtain free copies of your credit reports and the importance of monitoring your credit card statements.
You should also know that in most cases, those of you affected should not be responsible for any fraudulent charges or fees to reissue cards. If you do have out-of-pocket costs, please contact us.
The security of our systems is extremely important to us, and we never want breaches like this to occur. We now believe we have solved all known issues with our systems and continue to pass PCI (Payment Card Industry) compliance testing. For those looking for alternative payment methods, we also offer PayPal on our sites.
The unfortunate truth: Breaches in data security are a widespread problem—and something that seems to affect all of us at some point, regardless of the strict security measures we insist upon. Many companies, both large and small, have been affected by the same flaw in the software that we relied on and other unforeseeable software flaws.
Still, that doesn’t prevent us from being extremely sorry about the inconvenience and discomfort this has caused some of you.
If you still have any related questions, please email us at firstname.lastname@example.org; in directing your concerns this way, we’ll be better able to respond in the thorough and timely fashion you deserve.
We feel privileged to be part of such a wonderful and dynamic crafting community, always priding ourselves on excellent customer service and first-rate security standards. Please rest assured: Through this difficulty, we are now even stronger and better able to serve our customers. Thank you, to each and every one of you for standing with us during this trying time.
Sincerely and on behalf of everyone at Crafts Americana,
An addendum for our Canadian customers: We care about you too! Canadian letters will be mailed shortly; this is simply due to different government reporting standards in Canada. Thanks for your patience.