It was 25 years ago, December 22, 2000, that Egghead’s website, egghead.com, was hacked, exposing 3 and 1/2 million credit card numbers. This incident raised a question we’ve been asking ever since. How do we know that our payment information is safe?
The wild west of security
The problem for Egghead, and everyone else, in the year 2000 was that it was the wild west when it came to security. There wasn’t a lot when it came to standards, and competent people to help you navigate the standards that did exist were hard to come by. And security updates came at unpredictable intervals, if at all.
As consumers, the best we could do at the time was to make sure our web browsers were using a connection that started with HTTPS if we were entering a credit card number, and maybe look for a lock symbol in the address bar to indicate our browser was using encryption.
Making matters worse, there were usually two versions of every web browser. There was a version that used 128-bit encryption that you could download if you were a US citizen, or a citizen of a country that the United States was willing to sell weapons to. Then there was the weaker version with 56-bit encryption that anyone could use. If you accidentally downloaded the 56-bit version, you had substandard protection.
But that only protected part of the transaction. You had absolutely no control over what the merchant did with your credit card information after they received it.
A standard called PCI DSS arrived 2004, giving merchants a single standard that all credit card processors agreed on. PCI DSS had some loopholes that make me uncomfortable, and that is even true of the current iteration. But even that earliest attempt was better than what we had in the year 2000.
Did the breach drive Egghead out of business?
It was less than eight months after this incident that Egghead went out of business and its property was sold to Fry’s. But I wouldn’t jump through the conclusion that the breach really harmed Egghead all that much. Kind of like NCIX, the game was pretty much over for them by then.
Besides that, the attitude toward credit card theft was a bit different then. Sloppy handling of credit card data in brick and mortar stores had been very common until the mid 1990s, and it was no secret.
In the bad old days, when someone made a credit card transaction, the receipt was a sandwich of regular paper and carbon paper. The merchant filled out the receipt, then placed the credit card and the receipt in a machine that imprinted the raised numbers on the credit card onto the receipt using the carbon paper. One copy of the receipt was for you, one was for the payment processor, and one was for the merchant. It was a good practice to tear out the carbons and give those carbons to the customer, along with their copy of the receipt.
Not everyone did that. The carbons just ended up in the trash, and a dumpster diver could potentially locate a trash bag full of these carbons. A Web consumer in the year 2000 could easily write this off as the digital equivalent of your carbons being dumpster dived. We have higher expectations of our merchants today, although I would argue our expectations still are not high enough.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.