This is big news about a small breach. The self proclaimed “leader in computer forensics and incident response solutions” discovered a security breach on December 7th, 2005. SecurityFocus reported today that financial information including CVV was lost:

The breach, which took place in November, resulted in the loss of customer names, credit-card numbers and the three-digit card verification values (CVVs), which merchants are not supposed to retain, according to reports.

This is also reported on news.com.com (strange domain name, eh?):

The attack occurred in November, but wasn’t discovered until Dec. 7, John Colbert, chief executive officer of Guidance, said in an interview Monday. The attack exposed data on thousands of the company’s customers, including 3,800 whose names, addresses and credit card details were exposed, he said.

However, the official Guidance letter clearly states in the first paragraph “Fortunately, the database that was compromised did not contain any of your financial information that could put you at risk of identity theft.”

Of course most of the people (computer forensics and incident response professionals) who recieved this letter must have immediately suspected something was fishy. After all, why would Guidance send out the notice if there was no breach of sensitive data? And then there were those who are already reporting that they are victims of the breach…