The Irish Examiner broke the news this morning that an Irish online retailer’s computer security was breached by criminals who managed to compromise an undisclosed number of credit card details belonging to Irish customers. The breach was apparently discovered after the criminals tried to test if the cards were active by making small online purchases against a New York based online food retailer. Most major Irish banks are in the process of reissuing credit cards to those affected by the breach. While most people who hold credit cards are frantically checking with their provider to see if they have been victims.
At the time of writing there are no public details as to which retailer was compromised, how that compromise happened nor how many people affected. This is one of the reasons I believe that we need Data Breach disclosure laws here in Ireland.
Knowing who the retailer is could save a lot of unnecessary worry for people who may think their cards have been compromised. Knowing how the attack happened will also be useful for other companies so that they can ensure they have appropriate mechanisms in place to prevent and detect a similar attack, be that an attack via the Internet or an insider using the information.
It will also be interesting to know if the retailer was PCI DSS compliant. And if not what steps the credit card companies and the acquiring bank will take? My experience in dealing with a lot of companies is that many are not yet compliant with PCI DSS. With all its various faults at least PCI DSS provides organisations with the minimum best practises and standards that they should have in place. Despite many of the vendor hype PCI DSS should not be that hard for most companies to achieve. Indeed if a company is serious about protecting their customers’ data the PCI DSS standard should be a by product of their own efforts.
Lets keep a close eye on this case and see what lessons can be learnt from it.