> series: anatomy_of_a_breach —— part: 009 —— target: network_solutions —— cards: 573,928 —— merchants_affected: 4,343<span class="cursor-blink">_</span>_
In July 2009, Network Solutions — one of the world's oldest domain registrars and web hosting companies — disclosed that attackers had planted unauthorised code on its e-commerce hosting servers. For three months, from 12 March to 8 June 2009, this code silently captured payment card data from transactions processed through 4,343 small business merchant websites and transmitted it to an external server controlled by the attackers. A total of 573,928 cardholder records were compromised.
What makes this breach particularly significant for UK businesses is not the scale — 573,000 cards is modest compared to Heartland's 130 million — but the model. The victims were not large corporations with dedicated security teams. They were small businesses — 'mum and pop' online retailers — who had entrusted their payment processing to a hosting provider. They had no visibility into the security of the shared infrastructure that handled their customers' card data. When that infrastructure was compromised, the small businesses were affected through no fault of their own. This is a supply chain attack, and its pattern is directly relevant to any UK SME that relies on a third party to process payments.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallNetwork Solutions provided a bundled e-commerce hosting service to over 10,000 merchant websites — handling everything from web hosting to payment processing. Attackers compromised the servers that processed payment transactions and installed malicious code that intercepted card data as it was submitted by customers and transmitted copies to an external rogue server. The code remained undetected for approximately three months.
The breach was discovered on 8 June 2009 during a routine security review. Network Solutions engaged external forensic experts, who confirmed on 13 July that the captured data included credit card information. On 24 July, Network Solutions began notifying the 4,343 affected merchants and offering to help them contact their customers. Affected cardholders were offered 12 months of free credit monitoring through TransUnion.
The Network Solutions breach illustrates a fundamental challenge for small businesses: when you outsource payment processing to a hosting provider, you outsource the security of your customers' card data to that provider — but you do not outsource the liability or the reputational damage when it goes wrong. The 4,343 affected merchants had no technical capability to detect the compromise, no visibility into the hosting provider's server infrastructure, and no advance warning that their customers' data was being stolen.
| Failure | What Would Have Prevented It |
|---|---|
| Unauthorised code on payment servers | File integrity monitoring — a standard security control that detects when files on a server are modified — would have flagged the installation of the malicious code within hours, not months. SOC in a Box includes integrity monitoring as a standard component of its 24/7 detection capability. |
| Data exfiltration to a rogue server | Network monitoring would have detected the outbound traffic to an unknown external server. The payment servers should not have been communicating with any destination other than legitimate payment processors. An infrastructure penetration test would have assessed outbound traffic controls. |
| Three months without detection | The absence of monitoring, alerting, and regular security assessment allowed the compromise to persist for a full quarter. Continuous monitoring through a managed SOC service reduces dwell time from months to hours. |
| Shared infrastructure risk | A web application and infrastructure assessment of the hosting environment would have evaluated the segmentation and security controls protecting shared payment processing infrastructure. Our Cyber Essentials certification helps small businesses establish baseline controls — but it also means asking the right questions of your hosting provider. |
If your business accepts online payments through a third-party hosting or payment processing provider, you share the supply chain risk that the Network Solutions merchants experienced. The questions to ask are: who handles your customers' card data? What security controls do they have? When were they last tested? What happens if they are breached? And would you even know?
For UK SMEs, Cyber Essentials certification establishes baseline controls for your own systems, but it should also prompt you to evaluate your supply chain. Our web application testing assesses your e-commerce platform's security regardless of who hosts it. And for continuous protection that detects supply chain compromises affecting your payment flows, SOC in a Box monitors for the anomalous data flows and transaction patterns that indicate a compromise in progress. When an incident does occur, UK Cyber Defence's incident response provides the forensic capability to investigate the scope and impact.
Our <a href="/penetration-testing/web-application">web application testing</a> and <a href="/penetration-testing/pci-dss">PCI DSS assessments</a> evaluate the security of your payment processing — regardless of who hosts it. <a href="/cyber-essentials">Cyber Essentials certification</a> establishes your own baseline. And <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that catches supply chain compromises before they become customer notifications.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call