Australia's Commonwealth Bank has cancelled around 8,000 credit cards after a data breach was detected at a merchant.
According to Australia's itnews.com, Commonwealth Bank noticed fraudulent transactions over its network and alerted Visa and MasterCard, the breached and unnamed merchant and its acquiring bank and affected customers.
In a statement, the Commonwealth Bank said that it ‘continuously monitors all credit card transactions to protect our customers from fraud and during this process we became aware of a potential credit card compromise through an Australian merchant acquired by another bank'.
Australia's Privacy Commissioner is aware of the breach, but did not say if it is investigating the incident. In January 2009, processor Heartland Payment Systems suffered an incident that to date has resulted in the breach of around 130 million credit cards.
Rob Warmack, senior marketing director at Tripwire said that despite the amount of credit cards and customers affected in this incident being lower than other breaches, it is definitely worth considering as it highlights the problem with disclosure.
Talking to SC Magazine, he said: “Companies are not coming forward and saying it has happened and from surveys we have done, we found that most breaches are not disclosed. Without a law on notification this is how we discover notifications, via announcements and the press, but given the number and frequency of data losses, with PCI DSS installed in the first place there is a chain of trust from the merchant to the bank to the consumer and they need to be protected to the minimum security standard or anyone can be impacted through the chain.
“Without public disclosure laws there needs to be compliance legislation to protect the end user, but it is not followed on a day to day basis.”
Considering that the breach was detected, Warmack was asked if this was a good advert for log management and security information and event management (SIEM) being used. He said he was unsure of the technologies being used, but cited the Verizon data breach report which said that 86 per cent of breach victims had evidence of a breach in their log files.
He said: “I think that we could assume that it was using the right technology, but another Verizon statistic said that 96 per cent of breaches were avoidable through simple or intermediate controls. File integrity monitoring can be used to minimise risks and you can assume that if the Australian privacy commissioner did investigate, then it might find that solutions may not have been implemented on an ongoing basis.”