Hi, I run a small site which was recently defaced. I was stupid enough to keep a few credit card numbers (including expiry dates & holder names) of a few of my customers in my database. There is a possibility that this information was accessed. Should I be worried? If the cracker only for the credit card number, expiry dates and names, can they do anything wrong? Thanks
You did two mistakes here 1. You should not keep the details of your customers at a unsafe location. If at all your keeping make sure it is coded and not left the way it is. Yes It can be accessed and you better be worried coz ur customer can sue you for leaking out the informaton. 2. Yes in case u dont know, i;m aware of a number of site where u can shop wit the CC number, name on CC , expiry date ONLY. Please remove this information from your database ASAP or get it coded. Regards, EDIT : If my comments were taken in as a constructive feedback, then i would appreciate a Green Rep
Thanks for the replies. It all happened due to an insecure web application... Anyway, I removed the data from the database already. I will try to trace the crackers steps to see if they accessed that part of the database. Hopefully if their purpose was only to deface the website, they didn't bother checking the database. In terms of the credit card data, I dont and have never owned one so I am not too familiar with them. Can a cracker purchase things on alot of websites with only the above data?
According to Visa, MasterCard and other payment processor requirements you should protect credit card data. I would suggest using some encryption to store credit card info.
Ouch, that is pretty bad. If the credit card companies find out then you get into a whole lot of trouble and can be blacklisted for ever including for third party merchant accounts. Make sure that no one finds out.
That is sort of big, and I am sure that was the only thing the cracker was after hopefully you can trace him back and pursue legal actions, that is the only way to prevent him from using them I see. But most likely you won't be able to trace him back I am sure if they know how to deface your site, they know how to hide their selves, its such a shame but its reality.
Well, they can use the details especially for online purchases as those do not require signatures. I think the right thing to do is to contact those customers who have been affected and ask them to cancel their credit cards and to get new ones. I know you probably get a bad rap for this from your customers and may lose them but it should help arrest the problem. It would be better to keep quiet and when things goes wrong, you be in bigger trouble.
I agree with you. If anything goes wrong, you will be first suspected!! So, better ask them to cancel the card