Company ignored the PCI DSS standard, stored CVVs

Jul 3, 2015 14:49 GMT  ·  By

People ordering from Dungarees website during a two-month and a half interval starting March 26 may have exposed payment card data, the company announces.

The breach was discovered on May 15, after changing the web server hosting the website, when signs of unauthorized modifications were observed.

The company says that, immediately after noticing the intrusion, it took the necessary measures to secure the website. However, the period of compromise is beyond the May 15 date and extends to June 5.

Trust seals from reputed companies increase user confidence

During this time, the website displayed the Norton Secured and McAfee Secure seals, both guaranteeing peace of mind to online shoppers against vulnerabilities and malware.

Despite this protection, Dungarees card-related data of customers placing an online order between March 26 and June 5 may be affected. The details possibly leaked to the attacker include names, billing addresses, emails, credit or debit card numbers, the cards’ expiration date and the card verification value (CVV).

Thieves could easily make fraudulent transactions

A cybercriminal with this much information at hand would have no problem making fraudulent online purchases online.

As per the Payment Card Industry Data Security Standard (PCI DSS), CVV codes should not be stored by merchants, specifically to reduce fraud risks, because they are the only detail validating that the buyer actually has the physical card in hand at the moment of the purchase.

These illegal payments can be traced, but by the time this happens cybercriminals may have resold the goods and made off with the cash. These operations are generally well organized, with different people undertaking specific tasks.

Dungaree has retained the services of a forensic IT company to determine how the perpetrators managed to gain illegal access to the eCommerce component of the website.

The company has purchased identity theft protection services and it is offering them to affected individuals free of charge, for a period of one year.