When you ask a merchant to store your credit card information, you are trusting them to protect that information. While some web sites make it very difficult for you NOT to save your credit card information (Amazon being one), many web sites ask you if you want to save your credit card information.
For sure, if the web site is one that you don’t use frequently, then DON’T have the web site save the credit card.
In this case, the Topps trading card company announced the breach. The data compromised is the usual: names, addresses, email, phone number, credit card number, expiration date and verification number.
If the web site did not store the credit card number then it would be harder for the hackers to steal it. Not impossible, but harder.
The breach timeline is around July 30, 2016 to October 12, 2016.
The company thinks that Paypal payments were not compromised, but they are not sure.
The issue is whether the credit card data was stolen from where it is stored in a database or at the moment that the credit card processing occurs. Topps is not providing any details and are not saying how many cards were taken.
Topps hired a security firm and patched the hole that the hackers used. They are not saying what the hole is.
This is the second breach related to Topps in the last 6 months.
The earlier breach was related to a Mongo DB that was open to the Internet (this seems to happen way to frequently).
Researcher Chris Vickery reported the first breach last June.
However while security at Topps wasn’t working, their spam filter was. Chris’s email wound up in the spam bucket; an employee thought he was trying to sell something and ignored the emails. For that breach, Databreaches.net called Topps headquarters and told them about the problem. Apparently, the phone call did NOT wind up in the spam filter.
In the case of the new breach, the researcher who discovered the new breach was in a meeting with Topps and told them.
It looks like Topps has a lot to learn – hopefully they will learn something from these breaches – including even if the breach notification is in your spam bucket, you might want to check it out.
In the mean time, as a consumer, consider not saving those credit cards on infrequently used web sites. In fact, if you can check out on those sites as GUEST, there is no easy way for them to save your credit card info to a profile. This is not perfect, but it may help.
Information for this post came from Security Week.