Burnt Ridge Nursery warning

Sorry I do not know if there was any warnings already, but I had unauthorized purchases recently, and knew one of the nursery sites had let my card info get stolen. It appears after an email I received last night from BRN it was them. If you used your card on their website from Sept 2020-Feb2022 your info may have been stolen.

9 Likes

Thanks for the heads up and welcome to the forum!

Edit: I checked and had used PayPal for my account. This is a good reason to use that extra layer of protection instead of using your credit card directly.

10 Likes

I had placed an order with them last September, and my cc numbers were stolen in November. At that time I couldnā€™t figure out where it was, but now I think theyā€™re responsible for it.

1 Like

Would you like to contact Burntridge Nursery and ask to speak with the owner?

He may not know about this. Burnridge has been one of good nurseries.

3 Likes

We got the email from Burnt Ridge last night regarding the breach.

1 Like

I also had an unauthorized purchase on the credit card I had used for an order with them.

I believe they should know. Their names are signed at the bottom of the warning email sent.

3 Likes

I just wonder how businesses store CC info.

If you place an order with CC info sent in, businesses have some ways to store CC info? I thought CC info is sent through processing sites and CC info is not stored at business level. Unless you agree to store CC info like with Southwest airline etc.

Of course all businesses store customer names, address etc.

Burnt Ridge charges oneā€™s credit card at the time of shipping not at the time of ordering, so they need to store the credit card. Other nurseries pretty much take your money when you place an order. Maybe Burnt Ridge needs to change this approach.

2 Likes

This is unwarranted slander. It infers that a nursery purposely let your info be stolen.

In the case of Burnt Ridge

Burnt Ridge Nursery and Orchards, Inc. (ā€œBurnt Ridgeā€) recently became aware of a data security incident involving the presence of malware on the servers of one of our third-party vendors.

1 Like

Hello! Iā€™ve been a forum lurker for a while. This seemed a good time to chime in since I work as a web developer. :slight_smile:

Storing CC info depends on the website, and it really varies. Websites that handle credit card info directly really should follow PCI Compliance standards to ensure secure handling, but many smaller ones often canā€™t afford the complexity it requires.

Like disc4tw mentioned, using PayPal or another major payment processor ensures your CC info canā€™t be handled directly by the business. Generally, if youā€™re typing your card info into a website directly (and donā€™t get a popup or redirected to PayPal or similar), then that website has access to that card info.

I tend to avoid giving my CC info to small websites like the plague. PayPal, Google/Apple Pay, Amazon Pay, Squareā€¦ there are a lot of secure options, and if a site doesnā€™t offer one, a check or bank draft is the way to go, in my opinion.

17 Likes

Yes, certainly large businesses like Macyā€™s and Southwest Airline have IT team that manages their own e-commerce and store our CC info. But a small business like a nursery?

I would think the nursery uses outside IT contractor to manage order flow. CC info is stored at the 3rd party IT platform, not a the nursery. So the CC info is stolen at the IT site, not at the nursery. You can certainly place an order at the nursery over the phone. But I do not think the nursery would type your CC info into its own computer database to store CC info.

So if we call the nursery to alert them, they have to alert the IT contractor. I would think those IT contractors are not sophisticated.

And some of those IT contractors do not even make Paypal available to use.

1 Like

Yes I forgot to mention their 3rd party payment processor is what got hacked. I typed one of the nursery websites because the card that had its info taken was only used in online nursery purchases because of the various sketchy payment methods I have seen from a fair share of nursery websites. I figured someone was gonna get my info before even making the purchases. Sorry truth isnt slander.

5 Likes

Good to bring this topic up. Iā€™ve had a couple credit cards get unauthorized useage.
But Burnt Ridge had nothing to do with either of my incidences, as I didnā€™t have the cards in question at the time of my last Burnt Ridge order.

Crooks and thieves are everywhere anymore from some of the highest offices in the land to the tiniest mom and pop business trying to eek out a living in a world where the deck is stacked against them.
I try to rotate the people I give business to, favoring local, small and domestic sellers if possible.

Bottom line, Iā€™ve never had to actually pay for any ā€˜stolen useageā€™ of any of my cards.
But, if not vigilent, thieves and hackers can do a lot of damage. Sometimes itā€™s employees or disgrutled ex employees that have something to do with stolen and sold information.

And glad to have another hobby fruit guy to share thoughts on the fruit forum. welcome

3 Likes

Yes that is why I still made the purchases despite being wary. If I donā€™t help support them they could go under. I did not mean to sound as if they let it happen on purpose. I know they cant afford to have the top of line amazon cloud based website that can, and will still get hacked. I was simply letting people know in case they hadnā€™t gotten, or read the email yet.

2 Likes

It is not just that we are not responsible for those unauthorized charges. It is that our personal information gets compromised. Some parties have our SSN, DOB, Address and financial info. We do not know when they will attack again.

Some website checkout pages iframe the card entry form to service providers who specializes in cardholder security. We do so at work, Iā€™m glad our web apps do not receive/store/transmit card data at all. By contract it looks like Burnt Ridge ingests cardholder data directly into their web apps. Or so it appears from putting an item into the cart and proceeding to the card entry form and watching what my browser is talking to. Also, Netcraft says their webserver is Windows Server 2008. That OS was end-of-lifeā€™d by Microsoft in January of 2020.

The same thing happened to me twice. I couldnā€™t prove it stemmed from BR, but it happened two years in a row after BR orders. That tells you it is nothing new. Iā€™m glad you posted this. Two years, two new cards. Not fun.

I, OTOH, cannot use the larger dot-com clearinghouses such as (but not limited to) Walmart, Amazon, eBay, CraigsList, Google, and the like. I browse the Internet through TOR, a fork of Firefox, hardened against pop-up ads, javascript exploits, cross-site scripting exploits, encryption de-escalation exploits, etc. This makes me, personally, anathema to the large content providers (including all the associated dot-com clearinghouses mentioned, above) and their content-delivery running dogs such as Cloudflare whose revenue depends largely on conveying ads and tracking my cross-site shopping behavior. TOR successfully evades all of that. Furthermore, TOR acts as a virtual private network (VPN) by routing each of my Internet queries and responses through a series of servers located around the world. The Web sites I visit are all concealed from my ISP. My ISP is concealed from each Web site I visit. While greatly magnifying the latency of my Web access, TOR offers the benefit of perfect end-to-end encryption, which completely shields me from tracking.

The downside is that the clearinghouses require me to have a physical Internet connection plausibly located in the same nation as my billing and delivery addresses, which they try to deduce from the IP address I use to access their Web pages. I have had Walmart and Amazon orders preempted after being approved, presumably by security firm(s) hired to audit their orders for problems like this. When confronted, they cannot or will not explain why my orders were repudiated but ask that I resubmit. Unfortunately, the orders are summarily rejected once again.

Google has put me on notice that my country of origin will be changed to Luxembourg after using the same account for ten years.

I use TOR as my default browser and refuse to do my shopping with more open versions of Firefox, which expose my IP address along with other identifying information on my PC that are then used to build an online dossier on me for sale. Therefore, Iā€™ve cancelled accounts with Walmart, Amazon and eBay and try to shop at smaller retailers who do their own credit-card processing.

Thankfully, although more and more Web content is foreclosed to me and to all users of TOR exit nodes, there is still much thatā€™s available, such as this Growing Fruit bulletin board. You see, providing identity by logging into a Web site doesnā€™t always present a problem to me if I donā€™t feel I need anonymity for what I have to say. What I deeply resent, though, is the pervasive surveillance of my comings and goings.

6 Likes

I had mine stolen at Amazon, so we no longer have a card there. Whenever we need to buy something, we put in a card and then we remove it afterwards. Luckily we donā€™t have to do this often. Every time I travel, when I come back I close that particular card and get another replacement. This is to avoid fraud.

3 Likes