Hackers Access Data from Dozens of California Winery Customer Lists

California wineries are learning an unwanted lesson in cyber security after hackers gained access to the financial and personal data of thousands of their customers. In April, the unknown culprits hacked into eCellar Systems, which handles mailing-list sales and other direct-to-consumer transactions for dozens of California wineries, including Kosta Browne, Patz & Hall, Turley and Peter Michael.

Missing Link Networks, the Napa Valley–based company that owns eCellar, declined to answer questions. Published reports state that data from roughly 70 wineries and as many as 250,000 of their customers was exposed.

In a statement posted on the company’s website, Missing Link CEO Paul Thienes said hackers gained access to customer names, credit and debit card numbers, addresses and, in some cases, birthdates. “The intruder did not have access to any driver license numbers, Social Security numbers, CVV verification numbers or PIN numbers,” he said.

Wineries were first notified of the breach May 27, and Missing Link also contacted credit card companies, as well as law enforcement agencies, including agents at the U.S. Secret Service, which investigates financial crimes.

More than 20 wineries notified the California Department of Justice about the breach, including Cain, Charles Krug, Corison, Flora Springs, Gemstone, Heitz, Martinelli, Outpost, Pride Mountain, Repris, Rhys, Rombauer, Round Pond and Signorello. The department declined comment, saying it was an ongoing investigation.

Wineries quickly notified their customers, many of them using a letter supplied by the California Department of Justice, which advised customers to change their winery account log-in and password information and to monitor their credit and debit card accounts for suspicious activity.

“We jumped on it immediately,” said Michael Browne, partner and winemaker of Kosta Browne Winery, which conducts roughly 80 to 90 percent of its business direct to consumer. “Our customers are the lifeblood of our business.”

Wendy Brooks, business manager of Pride Mountain, said Missing Link worked closely with wineries. “I think they told us as soon as they could and acted as quickly as they could.” Pride Mountain, like many of the wineries, hired attorneys and other specialists in the field to ensure they were in compliance with state and federal laws regarding customer data breaches.

Winery customers, for the most part, seemed to take the breach in stride, most winery staff reported. “It’s more common than it once was and people know how to respond,” said Russell Joy, president of Patz & Hall. “We got lots of phone calls once we let everyone know and most of the responses were about giving us a new credit card number.”

The amount of fraud reported by customers seems limited at this point, wineries said. One Kosta Browne customer who is on numerous mailing lists told Browne that $1,000 was falsely charged to his credit card at Best Buy, but he remains a loyal winery customer. “It’s the world we live in now,” Browne said.

Missing Link informed customers that it secured the breach and is switching to what the industry calls a token system. Tokenization basically replaces a credit card number with a token that is linked to essential data without compromising its security. Joy said that Missing Link is also undergoing a third-party audit to double-check the new security protocols.

For most of the wineries, the breach means added costs, work and aggravation, but it also provided a reminder to be diligent with data security throughout the winery, checking compliance and updating staff training.

"This certainly isn’t a situation that we would have sought out, but we’re going to come out of this stronger,” Brooks said.