Several large stores of Ireland had been hacked in October 2017. Tens of thousands of customers of Supervalu, Centra and Daybreak, as well as their parent company Musgrave are risking of losing their funds on their card accounts.
The spokesman of Musgrave reports that the incident is under investigation, and claims that malicious software was attempting to extract information about the card numbers and expiry dates. Such information, as the cardholder's name, CVV/CVC codes were not exposed by attack. It is reported that it was taken all necessary measures to protect the data immediately after the detection of the attack, and there is no any evidence that the data was stolen indeed. However, customers of the affected stores were given recommendations to be vigilant about transactions on their card accounts, and be ready to take appropriate action as soon as possible.
There is no any information about how much data could fall into the hands of fraudsters, and when exactly the stores had been hacked. The cyber-attack is believed to have taken place in Serbia. The investigation connected to the police, and the Office of the Data Protection Commissioner.
Cybercrime analysts say that if the cards data managed to intercept the attack echoes will be heard for several months or even years. After the theft of information cyber criminals are usually conducting a full analysis in order to understand how this information can be used. If the fraudsters can find a gap in the protection of information of any company, they will withdraw what they can, and after that will decide what to do. So, it is impossible to say exactly what information they could steal.
It could be not only the card numbers, but also home address, telephone number, email address. The information about card details can be sold on the black market or used for maintenance in online stores. Phone numbers, e-mail can be used, for example, for the purpose of phishing. There are a lot of options of unauthorized use of the information.
All companies that store personal information about customers must be aware of the responsibility and take necessary measures to protect this information, namely, encryption. Even if cyber criminals get access to this information, it will be useless.
At this moment the company takes a decision about encryption of personal data of the customers. However, The EU's General Data Protection Regulation comes into force in may next year. Non-compliance with its requirements can lead to sanctions in the amount of 10-20 million euros.
Let's hope that this regulation will contribute to some reduction in cybercrime, or the consequences of cyber-attacks will not be so significant.