We’re writing to inform you that on or about May 28th, 2018 unauthorized access was gained to a web server running SureFire’s website being hosted and managed by a third party web services provider. Suspicious traffic and activity was noted and a security audit and investigation were launched at SureFire’s direction by our web hosting vendor.
On July 22nd, the web hosting service provided SureFire with a report detailing the results of the investigation. The investigation and audit revealed that the software running the website had a particular vulnerability in the PHP and Zend frameworks. The software vendor provided a patch to close these vulnerabilities on June 22nd, by which time the unauthorized access had already occurred.
The patch closed the attack vector but up to 2,511 transactions nationwide may have been accessed. These transactions would have taken place between May 2018 when the initial access was gained to July 22nd when the investigation concluded. By that date, the patch had been applied, the means of unauthorized access was closed, and remediation steps were taken to prevent recurrence.
Orders outside this timeframe were not affected. Orders not placed on the website at www.surefire.com were also not affected (e.g. phone-in orders, walk-in orders, etc. were not affected). The breach only occurred on surefire.com during the time frame indicated, all other customer data past and present is secure and unaffected.
Given that the breach was due to a vulnerability in the underlying software, security patches have been deployed. Additionally, increased security monitoring and measuring have been put into place to prevent a recurrence.
Our records show that you placed an order through www.surefire.com within the time frame the security breach occurred. The information accessed was information provided to fulfill orders on the website, which includes consumer names, shipping and billing address, and payment card information.
As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You may also wish to cancel the credit card used for the purchase you made at that time.
You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission. To file a complaint with the FTC, go to www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338).
Complaints filed with the FTC will be added to the FTC's Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.
Additionally, you may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print a copy of the request form at https://www.annualcreditreport.com/cra/requestformfinal.pdf. Or you can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies listed below: