Criminals Break Into Irish Online Retailer

The Irish Examiner broke the news this morning that an Irish online retailer’s computer security was breached by criminals who managed to compromise an undisclosed number of credit card details belonging to Irish customers.  The breach was apparently discovered after the criminals tried to test if the cards were active by making small online purchases against a New York based online food retailer.  Most major Irish banks are in the process of reissuing credit cards to those affected by the breach.  While most people who hold credit cards are frantically checking with their provider to see if they have been victims.

At the time of writing there are no public details as to which retailer was compromised, how that compromise happened nor how many people affected.  This is one of the reasons I believe that we need Data Breach disclosure laws here in Ireland. 

Knowing who the retailer is could save a lot of unnecessary worry for people who may think their cards have been compromised.  Knowing how the attack happened will also be useful for other companies so that they can ensure they have appropriate mechanisms in place to prevent and detect a similar attack, be that an attack via the Internet or an insider using the information.

It will also be interesting to know if the retailer was PCI DSS compliant.  And if not what steps the credit card companies and the acquiring bank will take?  My experience in dealing with a lot of companies is that many are not yet compliant with PCI DSS.  With all its various faults at least PCI DSS provides organisations with the minimum best practises and standards that they should have in place.  Despite many of the vendor hype PCI DSS should not be that hard for most companies to achieve.  Indeed if a company is serious about protecting their customers’ data the PCI DSS standard should be a by product of their own efforts.

Lets keep a close eye on this case and see what lessons can be learnt from it.

UPDATE: John Collins has a piece in 9th August edition of The Irish Times covering this story with some commentary from myself.

Irish Ways and Irish Laws

 I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland.  So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team.  If anyone else I have forgotten any items then please let me know ;

The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003.  Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.

So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.

Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations

You also need to be aware of the European Convention on Human Rights

Under the above everyone has the right to privacy in all their communications.  This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage.  In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.

The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.

The Copyright and Related Rights Act 2000.

Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.

Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.

UPDATE – 22/05/08
For those of you based in the United States the following post on “10 ways you might be breaking the law with your computer” may be of interest.