Hackers Access Firms’ Credit Card Records

The safety of online commerce suffered another blow with disclosure that the credit card database of a health products supplier was opened to hackers for a few hours this week. Word of the security breach at Global Health Trax Inc. comes as credit card companies are canceling thousands of cards because someone pilfered their numbers from CD Universe, a Web music seller.

The card companies say the CD Universe case, uncovered Monday, has resulted in the largest mass-cancellation of cards they can recall. Global Health Trax, based in Poway, east of San Diego, sells dietary supplements to about 3,500 distributors nationwide and has annual sales of about $3.5 million, Executive Vice President Lorin Dyrr said.

Distributors can go to the company’s Web site, https://www.ghtne.com, and enter their credit card number on an order form that is e-mailed to the company. On Monday, account information on several hundred distributors was open to hackers on the company’s old Web site, Dyrr said. The company said that it believes the breach was a case of corporate sabotage by three former employees and that few people accessed the numbers.

The customer information was available for a few hours, and at least two people accessed the site, including a reporter for Internet and cable TV news service MSNBC who contacted the company Monday about the glitch, Dyrr said.

In the CD Universe case, an unidentified hacker claimed to have stolen 300,000 card numbers. He said he sent a fax to the company last month offering to destroy his credit card files in exchange for $100,000.

When the company refused, he used a Web site called Maxus Credit Card Pipeline to distribute as many as 25,000 of the stolen numbers. Since then, credit card companies and banks have worked with CD Universe, based in Connecticut, to locate their customers who used the online retailer.