Cotton Traders web site hack loses thousands of credit card details

News 11 Jun, 2008

The data theft from the British clothing retailer Cotton Traders has yet again raised questions about security and data policy.

Hackers have stolen the credit card details of up to 38,000 customers from clothing firm Cotton Traders after its website was hacked, according to reports.

The attack occurred in January, resulting in the company referring the issue to Barclaycard and calling in industry security experts. Cotton Traders said that all card details were encrypted, with most cards stopped in the same month of the attack.

The firm said in a statement: “Earlier this year we identified a security issue. We immediately brought in security experts to resolve the problem.

“We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading industry security standards.”

APACS, the trade association for the payment industry, said the attack was serious because hackers accessed details which could be used for ‘card not present’ fraud. It said a specialist police unit was working on the case.

The company has not issued individual notifications for the customers affected and has said that anybody concerned about the attack should talk to their card provider. However, some security experts say this is not enough.

Security vendor Symantec, in association with Ipsos MORI, recently commissioned a survey which claimed that 96 per cent of the general public would want to be notified if their details were lost by an organisation. 85 per cent said bank account details were a priority.

“Although most data breaches are accidental, the lost of personal data can have a huge negative impact on an organisations reputation. However, in this case, the breach was intentional and the company didn’t notify the affected customers to the security hacking,” said John Turner, vice president for EMEA Presales at Symantec.

Turner said that data breach notification legislation would be an important step to increase levels of data security.

“[It would] ensure that organisations are aware of their requirements and obligations to disclose to customers when personal data has been lost or stolen.”

The reports come only days after a Home Affairs committee said that the government needed to make sure that it kept the data it held about people to a minimum.

The Information Commissioner agreed with their view, and also said it was a priority that organisations were forced to undergo privacy impact assessments to make sure they were handling data properly.