Ingram Reassures VARs Its Systems Are Secure

In a prepared statement, the computer distributor said that it is "continuing to make investments that will further secure our information systems and help protect us from any unlawful acts of fraud, theft or otherwise."

Ingram said none of its VARs or vendors were affected by the alleged fraud. Furthermore, Ingram said, "Security has and will continue to be a top priority at Ingram Micro, which is why you'll continue to see us invest in securing our infrastructure from both a technology aspect as well as a physical aspect."

Ingram, which outsourced its IT operations in 2003 to Affilliated Computer Services (ACS), said it maintains a corporate and IT security staff made up of both Ingram and ACS associates, who conduct regular training and security awareness updates.

Darren McBride, president of Sierra Computers and Training, a Reno, Nev., Ingram VentureTech partner, said he was surprised by the scale and the scope of the hacking scenario.

"I am surprised the hacker was able to do what was alleged, given that Ingram is a technology company," McBride said. "I would be interested in knowing how many total customer aliases the hacker was able to use to defraud them."

McBride said he was concerned that such alleged fraud could be contributing to rising costs being passed on to resellers. Ingram, however, said the losses were not passed on to partners.

Ingram, which had annual sales of $22.6 billion in 2003, said the $6.5 million loss was accounted for as an operating expense over several years.

McBride, who expects his HIPAA security business to double this year to nearly $1 million, said the alleged fraud points to the need for all clients to secure their networks.

Ingram said it has implemented "layers of security technologies over the years and continues to contract with third-party service providers who work with our IT security team to conduct security monitoring and regular audits."

The grand jury indictment, issued Thursday, claims that notorious international hacker Calin Mateias, 24, of Bucharest, Romania, hacked into the online ordering system of Ingram Micro by posing as an Ingram customer and placing orders for as much $10 million in equipment over four years. Ingram said it was successful in stopping $3.5 million in illegal shipments.

Mateias, who uses the online nickname Dr. Mengele, was charged with conspiracy and 13 counts of mail fraud. Also charged were Olufemi Tinubu, 21 and Tarion Finley, 20, of Atlanta; Valeriu Crisovan, 27, of Hallandale, Fla.; Jeremy Long, 28, of Richmond, Va. and Warren Bailey, 21, of Anchorage, Alaska.

The five Americans are slated to be arraigned in the Los Angeles U.S. District Court by the end of August. The U.S. Justice Department is working closely with Romanian authorities to bring Mateias to justice in either Romania or the United States.

The indictment alleges that Mateias recruited internet chat room members to act as go-betweens, accepting the product from Ingram and then shipping it in exchange for a fee.

Among the steps Ingram said it has taken in the wake of the alleged scheme are: changing access rights to all information systems worldwide; modifying IT security procedures and policies; and maintaining comprehensive checks for additional security vulnerabilities.