Cotton traders confirm – credit card data stolen
Cotton Traders has confirmed on Wednesday that on-line attackers have stolen thousands of credit card details from the web site of the clothing company, although they say the data was encrypted. The company, set up in 1987 by former England rugby captains Fran Cotton and Steve Smith, acknowledged that its systems had been accessed in January.
The company said Barclaycard was immediately informed. Most cards were stopped in January and customers affected by the breach were contacted and issued with new cards. Cotton Traders did not confirm the size of the breach, but said a figure of "up to 38,000" customers reported by the BBC, which first publicised the hack, was "wildly inaccurate". Cotton Traders said it immediately attended to the problem and has changed its security systems. In a statement the company said "We immediately brought in industry security experts to resolve the problem," – "Cotton Traders have recently upgraded all security on their web site which has been validated by leading Industry experts." The BBC report said customer addresses were also stolen in the hack. The technique used in the hack was not disclosed.
Apacs, the trade association for the payment industry, said the hack was serious because the attackers accessed details for "card not present" fraud. These details allow cards to be used in situations such as on line transactions, effectively circumventing protections such as Chip and PIN. Apacs said a specialist police force is investigating the case. The UK no longer has a dedicated electronic crime police force, following the merger of the National High-Tech Crime Unit into the Serious Organised Crime Agency (SOCA). The government is contemplating re-introducing a high-tech crime-fighting force, but it may be partly funded by industry.
Last month the European Network and Information Security Agency (ENISA), a European Union-wide security advisory body, called for such security breach disclosure regulations to be put into place across the EU as a step toward raising awareness of the seriousness of security threats. ENISA said governments, businesses and consumers are still underestimating the scope of the IT security problem, in part because of the lack of transparency when breaches occur. ENISA said "Reliable and comprehensive data on such incidents are difficult to obtain for many reasons, ranging from the rapidity with which security events can happen to the unwillingness of some organisations to disclose and publicise security breaches".
Cotton Traders did not publicly disclose the breach precisely because there are no laws requiring such data losses to be made public in the EU. The largest theft of credit card information to date, in which details were stolen from TK Maxx over a period of 16 months up to January 2007, was only made known in the UK because the parent company was based in a US state, requiring breaches to be disclosed under US law.