Another day... another data breach. Received an email this morning from e-onsoftware (VUE) informing its customer base of a data breach that was discovered in late November of 2017. According to the rather lengthy email they shut down their main server on December 19th.
It was discovered that the breach happened as far back as June 2013 giving the perps access to:
...names, addresses, email addresses, phone numbers, order and transaction information, membership information, subscription and maintenance plan information, public forum posts, technical support requests, software license information, and activation information.
The next statement is a bit better:
Based on what we know now, there is no evidence that login passwords and sensitive financial information including banking information and credit or debit card information were compromised as this data was protected by encryption and hashing.
I should know a little about this since, like some of us, I've had a lot of experience with my info getting out into the wild of the dark net from the huge Adobe breach forward. I've changed my credentials more times that I want to count in the past few years as I have gotten enough of these notices to take them in stride now. Let's hope for the best but it sounds like customers (and e-on) have a rough road to travel in the coming months.
Bentley Systems acquired e-on in 2015 according to the email and the usual boiler plate concerns and steps taken about future security are included. The email was lengthy for this sort of notice. I have no idea how well the breach was handled but after a little research there are some unhappy users due to a lack of information when it happened. Things just went offline according to forum posts.
I haven't used VUE much since the 2014 version due to a lack of need for it, so I wasn't keeping up with what was going on and the email came out of nowhere. That is never a good sign for customers.
As it stands users cannot sign into their account as they are offline and the Cornucopia3D store redirects to the info.e-onsoftware.com site that appears when typing in the main URL. Which, curiously, makes no mention of the breach. Seems most old links now redirect to the info site. According to the notice they will have to rebuild from the ground up and are considering finding a way for customers to download content in the meantime. They also stated that the store might be the last to be brought back online due to complexity.
At first it doesn't seem too bad then the negatives start stacking up as you consider the impact of the breach.
What about store vendors that might be owed money from online sales? Have they been paid since the store will be offline for some time meaning more loss of revenue? I'm not a vendor so that might be taken care of, at least I would hope so but there was a forum post questioning this from a vendor.
Can users do a new install of the software with the servers offline? I can find no information on this. Were that the case... well... that's the downside of DRM and licensing software. Tough Luck should be the official policy name as the customers are left out in the cold until a fix is available. Hopefully... that too has been taken care of by now.
According to the email, with the main server down, they can process requests during the operating hours of their home office, 9:00 am to 5:00 pm (UTC +1:00). We are starting to see a pattern here.
Once again... iterations of "We are very sorry" is bandied about till it no longer holds meaning no matter how well-intentioned. Some of us are just too shell-shocked over the years to believe corporate speak anymore. In their defense... well... I couldn't find anything in their defense when you consider the breach discovery is months old and they just now got out a notification to customers, their action appears indefensible.
I believe in their software and their people. Both have been good to me when I needed the tools. However, the delay in notification is a major fail and the rebuilding of their infrastructure seems to indicate an obsolete system was left in place too long. I'm guessing they aren't the only digital sales company that went down this road of denial. I'm just hoping I'm not onboard anymore of these data breach train wrecks. I'm running out of passwords.
M.D. McCallum, aka WarLord is an international award-winning commercial graphics artist, 3D animator, published author, project director and webmaster with a freelance career that spans over 20 years. M.D. is currently working on VR projects and characters. You can learn more about MD at his website.