Just over 1,000 California Association of Realtors members may have been affected by a breach of the online store they use to buy everything from blank home sales contracts and disclosure forms to books, software, magnets, lapel pins and coffee mugs.
The malware attack, which occurred from March 13 through May 15, prompted CAR subsidiary Real Estate Business Services to notify the affected 1,033 members last week their personal data may have been stolen while using payment cards such as credit cards for online purchases.
The list of potential victims is limited to CAR members, such as real estate agents and mortgage brokers, as opposed to the general public. Still, the breach is worrisome in that the hackers penetrated the Real Estate Business Services computers even though they were equipped with virus and malware protection, said Debra Ferrier, REBS chief executive.
"We'd like to keep ahead of these guys, but these guys are so smart it's sickening," Ferrier said.
The breach was discovered after a member called and said, "My credit card got hacked." Apparently, illicit charges to the member's card were made right after he bought something online at the store.car.org site, the REBS web address.
REBS brought in computer experts, who discovered malware had been uploaded onto the store's payment processing software. The malware made it possible for hackers to get a user's name, address, payment card number, card expiration date and, in some cases, the three-digit card verification code (or CVC) -- in short, everything needed to bill charges to a customer's account.
REBS has changed its payment processing, using PayPal rather than taking payment card data directly. In addition, the online store is offering free LifeLock card monitoring for a year to affected members.
"We've changed all our practices," Ferrier said.
Although 1,033 members used their payment cards to make purchases during period REBS computers were infected, Ferrier said she doesn't know how many cards were hacked.
REBS is advising members to monitor their account statements, review their credit reports and consider placing a fraud alert on their credit reports.
If members have questions, they can contact REBS at 213-739-8283.