The owner of Colonial Car Wash says a credit card breach at the Altamont Avenue location was due to a too-easy password being cracked by a hacker — and the problem is fixed.
Owner David Fusco said Monday that an independent IT company hired to investigate the cause of the breach was able to hack into the company’s computer system within 15 minutes. The password was originally set by another IT company, said Fusco, who also advised the public to use strong passwords with capital letters and underscores to better protect their personal information.
“It was a very easy password,” said Fusco, who declined to divulge the exact password. “It was a dictionary name and the first letters of Colonial Car Wash. And the user name was ‘admin.’ Anybody who uses ‘admin’ for a user name should be hit in the head with a hammer.”
The investigation began when bank managers from M&T Bank, First Niagara Bank and Price Chopper Federal Credit Union contacted the police with reports of customers being scammed after using cards at the car wash in early March.
In a statement issued Saturday, Fusco said the breach — which is being investigated by Rotterdam police and the U.S. Secret Service — stemmed from one hacker who broke through the software’s firewall security, according to the independent IT company. Fusco said the software has since been completely upgraded and improved, and the problem has been fixed since April 1. The point of sales internal computer systems were not tampered with, nor was an employee, manager or owner involved, he said.
“We are confident that these state-of-the-art upgrades will render our system completely secure,” he said, adding that customers were not exposed to potential identity theft, as the stolen information was limited to credit and debit card numbers.
The affected cards were limited to 100, all at the carwash’s Rotterdam location, Fusco said. Police previously said they had received about 100 complaints, but suggested there could be many more victims.
Police also said they’d also received some complaints from customers at locations on State Street in Schenectady and Western Avenue in Guilderland.
“After 40 years of doing business in the local community, it is of utmost importance that our customers are confident in the knowledge that Colonial Car Wash cooperated with both local and federal law enforcement in the investigation at all times, worked diligently to ensure that we determined the cause of the breach and have implemented any and all corrective measures required,” he said.
Fusco released the statement “in an effort to quell misinformation, conjecture and rumors,” which he said did “incalculable” damage to the business’s reputation. He said he previously declined comment at the request of federal investigators.
Fusco said 70 percent of Colonial’s customers are part of an unlimited carwash program in which they provide their credit card information and are charged $30 a month, and Colonial has lost many of those customers since the breach.
“It’s been detrimental,” he said. “It’s been very, very bad.”