August 8, 2016 -- Letter From Our CEO Regarding Security

Because of the amount of information available regarding your security in this letter written by our CEO, we are including a FAQ section at the end of the letter to provide you with quick answers to questions you may have regarding the security of our websites JadeBloom.com and JadeBloomUniversity.com

Dear Jade Bloom Customer,

As Chief Executive Officer, and with my technical background, security of our customers' sensitive data is a top priority and I take personal responsibility for our website vulnerabilities, potential data leaks, and simply stated, any time our technology sucks.  Because of several reports from customers in the past 2 weeks that they suspect their credit card data was stolen when placing an order at https://JadeBloom.com, we have conducted a detailed analysis of our security and the purpose of this letter is to address those concerns and to discuss some changes we have implemented.

This week, the Wall Street Journal reported that the personal twitter accounts were just hacked for CEO Mark Zuckerberg of Facebook, CEO Sundar Pichai of Google, and even Twitter’s own CEO Jack Dorsey.  You may also remember, the widely publicized data breach of Target’s database exposing 40 million card holders to theft.  The reality is, every company, no matter how large or how well funded, is susceptible to hackers.  Even if you choose not to use the Internet, your personal information is still available through online databases managed by mortgage companies, utility companies, and our government. 

As such, Jade Bloom has chosen not to store sensitive data that could be used to damage our customers' finances or identity.  From our inception, this has always included credit card data, but we have recently expanded this corporate policy to include Social Security numbers that we have used previously to identify our customers that participate in Jade Bloom University for the purposes of receiving free product.  Any customers that have provided their Social Security numbers at https://JadeBloomUniversity.com no longer carry a risk of those numbers being compromised as we have completely deleted that data from our server and we no longer require our customers’ Social Security numbers when registering at our University.

Over the past 3 weeks, we have been conducting a detailed analysis of the security of our servers and software platforms while relying on industry experts for data protection advice and lead professionals with an understanding of Magento.  Magento is the largest open source eCommerce platform used and trusted by some of the world’s leading brands like Nike, Olympus, Samsung, and Ford.  Jade Bloom is among 200,000 other merchants that trust the robust framework Magento provides for securely processing transactions while providing us with complete control over our code base for the necessary customization needed to provide our loyal customers with a unique omnichannel shopping experience across our website, mobile site, retail store, and our soon to be released mobile apps for iOS and Android.

Even though we have never stored our customers’ credit card data, our analysis revealed several vulnerabilities that existed prior to August 7th that would make it possible for hackers to obtain card data at the moment an order was placed.  Magento releases regular security patches as hackers discover new ways to compromise the framework.  Merchants that have the policy to install new security patches immediately as they are released, dramatically reduce the risk that data may be compromised.  While it has normally been our practice to quickly implement newly released patches, we did not immediately install the patch known as Supee-6788 when it was released.  Today I acknowledge that this was a mistake, but it will not be a mistake we will make in the future.

The decision to not install Supee-6788 when it was released was due to 2 pieces of critical information we had at the time.  First, by using the highest level of SSL encryption for all data that flows through our website combined with the corporate policy to not store our customer card information in a database that could potentially be compromised, experts instructed us that our customers’ card data could not possibly be at risk, with or without the added security provided by Supee-6788.  Secondly, at the time Supee-6788 was released, the customization of our codebase was very extensive and our development team learned that the patch would cause many key customization features of our website to become inoperable such as our loyalty point program, affiliate program, point of sale extension, gift voucher codes, collectors club subscription program, and a few other less important features.

In the past few weeks, as we started receiving some reports from customers that they suspected their card data was potentially stolen from our site, we re-visited the decision to not install Supee-6788 and our analysis also revealed a few other security loopholes.  We discovered that the patch would eliminate 10 security issues along with the following 3 key vulnerabilities that could potentially compromise credit cards, even with the securities already in place on our website: SQL injection, information leak, and cross-site scripting.  Immediately, with this new information, we installed Supee-6788 on our live server and then began re-coding the features of our website that the security patch broke.  

Although we are unable to verify if our customer cards were ever compromised, because of the nature of the vulnerability, it is extremely regrettable that our poor decision moved our website into a medium-risk category of security during this period.  We encourage all of our customers to immediately review their bank statements and report any suspicious charging activity to their bank.  Banks are required to provide you with the protection needed if you do in fact discover fraud. As of August 7th, I’m happy to report that not only is our site fully secure again, but all features of our website are also fully functioning.  It’s important to note that our server has never been compromised with malicious code nor did hackers obtain access to our backend administrative systems through brute force attacks or any other hacks.

Additionally, we have added an extra layer of security that routes all traffic attempting to access JadeBloom.com through a platform called CloudFlare (CloudFlare.com).  The technology immediately refuses a connection to our server from any blocks of IP addresses that are a known threat.  It automatically detects new attacks that arise against any website and immediately blocks the attacker from the entire community.  An intelligent reputation based software uses data from a variety of sources to provide the first line of defense for Jade Bloom against every suspicious visitor.

Through our technical learning these past few weeks, we have also spun up a new development server designed specifically for the installation of future security patches that will give us the ability to quickly close any gaps in our codebase without the development process affecting our customers’ shopping experience in any way.

With our culture of continual development of natural products and our frequent promotions, the average Jade Bloom customer returns to one of our shopping channels every 15 days.  We understand that re-entering your credit card each time you make a purchase with us is inconvenient and as such we are making it easier and quicker to order the products you want.  Balancing security of credit card data with the ease of re-ordering is a delicate process, but a process we believe we have mastered with the introduction of the Collectors Club and our soon-to-be-released mobile apps.  Any website that offers the ability to easily reorder without the need to re-enter your card data can only do so if your credit card data is stored somewhere. This is no different for Jade Bloom, but the way your data is stored provides an extra layer of protection that we want you to understand.

First, let’s discuss how this works with our mobile apps.  If you decide to download our mobile app once it is released, you will be able to add your credit card to the app and that card data will automatically be retrieved during the checkout process.  That card data is not stored with Jade Bloom, but rather it is encrypted and stored locally on your mobile device.  The only way the card data could be compromised when placing your orders through our mobile app is if a hacker had physical access to your device and was able to not only hack the software locally on your device but could also decrypt the encrypted number.  This would be extremely difficult and very unlikely.  Alternatively, a hacker could potentially obtain card data once you hit the submit order button on the app, the encrypted data is passed through our magneto platform, then through our online gateway authorize.net (I’ll discuss authorize.net in greater detail below), and directly to your bank for approval.  At no point during this transaction is your card data ever stored anywhere other than on your mobile device.  In this scenario, a hacker would have to penetrate the Magento platform secured with SSL encryption, the latest security patches, and operating behind the extra layer of protection offered by CloudFlare.  Again, this would be extremely difficult and very unlikely.  As such, our mobile apps provide the convenience and ease of ordering with saved credit card data, with a tremendous amount of protection for our customers.

Our Collectors Club provides many benefits for our loyal customers, one of which is the convenience of receiving new products each month without having to return to JadeBloom.com to re-enter a credit card number.  Jade Bloom is able to provide this subscription box service without storing customer card data by utilizing a secure service provided by authorize.net called ARB (Automatic Recurring Billing).  Authorize.Net enables merchants to authorize, settle and manage credit card and electronic check transactions via Web sites, retail stores, mail order/telephone order (MOTO) call centers, and mobile devices.  It was founded in 1996 and is a wholly owned subsidiary of Visa (NYSE: V).  Authorize is reputed as one of the most secure websites in the world and is trusted by more merchants than any other gateway to manage credit card transactions and store customer card data for recurring billing.  Their services allow us to stay true to never storing our customers’ credit card data while still offering the convenience of recurring billing through our Collectors Club.

As of today, we believe we are a much stronger and safer place for our customers to visit and explore the benefits of natural health and healing while having some peace of mind that their sensitive data is safe.  Additionally, we are better prepared for growth and reaching new customers in the mass market.  Jade Bloom exists to change the way people think about health and the safety and security of our websites will not be a distraction from this larger calling.

If you have any questions or concerns regarding the security of our websites or your private data, please feel free to reach out to me personally at my email address.  Today I met with our customer service teams for live chat, email support, and phone support and any of them would also be happy to assist you with your questions or concerns.

Thank you for your patience with us and your continued support of Jade Bloom and our mission.  We look forward to serving your needs in Health, Healing, and Happiness™.

 

Sincerely Yours,

Adam Wilkinson

Chief Executive Officer

Jade Bloom Inc

[email protected]

 

Frequently Asked Questions Regarding Security

Q: Does Jade Bloom store my credit card information that hackers could potentially steal from a database?

A: No.  Jade Bloom has never stored our customers’ credit card data.

 

Q: Does Jade Bloom store my social security number that hackers could potentially steal from a database?

A: No.  Prior to July 31, 2016, social security numbers could be provided optionally at JadeBloomUniversity.com for those enrolled students wishing to receive free products from the learning progress.  After July 31, 2016, we no longer require social security numbers to receive free products, and all social security numbers we received were permanently deleted from our database.  

 


Q: Is it possible for my credit card data to have been stolen on orders placed before August 7, 2016, if Jade Bloom doesn’t store card data?

A: Yes.  Prior to August 7, 2016, and after the release of security patch Supee-6788 for Magento, Jade Bloom’s security risk level was raised from low to medium.

 


Q: Is it possible for my credit card data to have been stolen on orders placed after August 7, 2016?

A: It’s very unlikely.  Even some of the largest and most well-funded organizations have had their data compromised proving that no website is risk-free or immune from data breaches.  However, with Jade Bloom’s policy to immediately implement future security patches to Magento, the use of SSL encryption for every web page of JadeBloom.com, the extra level of security provided by CloudFlare, and the commitment to not store customer credit card data, it is very unlikely that your card data could be compromised by placing an order at JadeBloom.com.

 

Q: How has Jade Bloom increased the security of its websites and the protection of my data?

A: 1) By ensuring every security patch released by Magento to-date has been installed 2) a new commitment to immediately install future security patches using a development server designed for this very purpose 3) using the best practices in SSL encryption 4) adding CloudFlare for an additional level of security 5) implementing new policies for password management 6) upgrading the version of PHP used on the live servers and development servers 7) and by not storing customer credit card data.

 

Q: If I am a member of the Collectors Club, how can Jade Bloom automatically charge my card for $18.95 each month if they don’t store my credit card data?

A: Jade Bloom is able to provide this subscription box service without storing our customer's card data by utilizing a secure service provided by authroize.net called ARB (Automatic Recurring Billing).  Authorize.Net enables merchants to authorize, settle and manage credit card and electronic check transactions via Web sites, retail stores, mail order/telephone order (MOTO) call centers, and mobile devices.  It was founded in 1996 and is a wholly owned subsidiary of Visa (NYSE: V).  Authorize is reputed as one of the most secure websites in the world and is trusted by more merchants than any other gateway to manage credit card transactions and store customer card data for recurring billing.  Their services allow us to stay true to never storing our customers’ credit card data while still offering the convenience of recurring billing through our Collectors Club.


Q: How do the new Jade Bloom apps for iOS and Android mobile devices allow me to place orders without entering my credit card if Jade Bloom doesn’t store my card data?

A: If you decide to download our mobile app once it is released, you will be able to add your credit card to the app and that card data will automatically be retrieved during the checkout process.  That card data is not stored with Jade Bloom, but rather it is encrypted and stored locally on your mobile device.  The only way the card data could be compromised when placing your orders through our mobile app is if a hacker had physical access to your device and was able to not only hack the software locally on your device but could also decrypt the encrypted number.  This would be extremely difficult and very unlikely.  Alternatively, a hacker could potentially obtain card data once you hit the submit order button on the app, the encrypted data is passed through our magneto platform, through our online gateway authorize.net (I’ll discuss this platform in greater detail below), and directly to your bank for approval.  At no point during this transaction is your card data ever stored anywhere other than on your mobile device.  In this scenario, a hacker would have to penetrate the Magento platform secured with SSL encryption, the latest security patches, and operating behind the extra layer of protection offered by CloudFlare.  Again, this would be extremely difficult and very unlikely.  As such, our mobile apps provide the convenience and ease of ordering with saved credit card data, with a tremendous amount of protection for our customers’ card data.

 

Q: What is SSL encryption?

A: SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.


Q: What is security patch Supee-6788

A: Magento released a patch, SUPEE-6788, which addresses protection against security related issues such as information leaks and remote code execution. These types of threads can compromise a site in many ways including having sensitive data stolen. This patch allows a Magento website to protect against these security compromises but, unlike most Magento security patches, it is tricky to implement and can cause many features of the website to become non-functioning after implementation.

 

Q: What is CloudFlare?

A: CloudFlare can be implemented on any website by simply changing the DNS settings which re-routes all traffic through the CloudFlare filtering system before the visitor can access the website.  The technology immediately refuses a connection from any IP address that is a known threat.  It automatically detects new attacks that arise against any website and immediately blocks the attacker from the entire community.  An intelligent reputation based software uses data from a variety of sources to provide the first line of defense for Jade Bloom against every visitor.

 

Q: What do I do if I believe my credit card data has been stolen?

A: Immediately contact your bank and report any suspicious transactions to their fraud department.  Your bank is required to protect you from financial loss in the case of fraud committed from your stolen credit card data.