After weeks of speculation surrounding the identity of “the merchant” at the centre of May’s bank data breach that resulted in thousands of credit card cancellations, the head of online retailer Crazy Sales has moved to fend off rumours.
No one can prove 100% that it’s Crazy Sales, said David Yin, owner of Crazy Sales, when asked directly if his company is the merchant that triggered the cancellations of an estimated 10,000 credit cards — including 8000 by the Commonwealth Bank.
“St George is doing an investigation … all I can say is that it’s under investigation,” Yin told Technology Spectator.
An investigation by Technology Spectator has revealed that St George Bank — the acquiring bank at the centre of the debacle, was recently removed as the credit card provider listed on the Crazy Sales website. Yin confirmed Crazy Sales is currently only accepting payments by PayPal and BPAY as it awaits the results of the bank investigation.
St George isn’t commenting, declining to name the merchant involved, but it did tell AAP it was a compromise at the business’s end.
Speculation on the merchant involved hit fever pitch in online forums after the event, with numerous merchants, including Crazy Sales, put forward as a possible culprit. Unfortunately such speculation is only likely to continue as consumers are left in the dark when credit card information is compromised.
The Office of the Australian Information Commissioner, which deals with privacy breaches, and recently conducted an investigation into the data breach of the Sony Playstation Network, said it is aware of the matter. The office had discussions with several banks when the issue was first raised, and concluded it was satisfied with the steps the banks had taken to protect customers’ personal information.
“When we have received further information, we will decide whether to open an investigation,” Australian Privacy Commissioner Timothy Pilgrim said in a statement.
Meanwhile, we continue to wait for action from the government on significant reforms to the Privacy Act that have been under consideration since 2008. These include increased powers for the Privacy Commissioner to impose penalties for serious breaches of privacy.
The Australian Law Reform Commission also recommended the government consider introducing mandatory data breach notification laws, such as those already in place in parts of the United States.
In its cybersecurity policy proposal released last month the White House flagged a national data breach notification law that would require any business that collects personal information about more than 10,000 people during any 12-month period to notify them immediately following a data breach.
If such a law was in place in Australia the incentive on companies collecting sensitive information, including credit card details, to take preventative measures against breaches would be much stronger.
In the 2007–08 budget, the Australian government allocated $8.9 million over four years to implement a range of initiatives designed to help protect home users and small business from electronic attacks and fraud. This extended to a range of education initiatives such as last week’s Cyber Security Awareness Week, the Stay Smart Online website and a voluntary code of practice for internet service providers.
Sadly education is not proving to be the silver bullet with data breaches growing in number and severity. Research from the Ponemon Institute on the Australian cost of a data breach found organisations sustained financial losses of almost $2 million on average per incident. So the financial incentive is there to act. And for larger companies, that action is happening.
Smaller firms do not seem to be so vigilant. In the US for example a Trustwave survey recently found 90% of credit card data breaches occur at the small merchant level.
The barriers to entry of entering an online business, such as myriad sites popping up in the daily deals, online retail and crowd buying markets are remarkably low, yet the kind of data they can collect is considerable in scale and value. This imbalance needs to be fixed, and the threat of fines for allowing breaches to occur seems the most likely stick to work.
*This was first published on Technology Spectator.