Are businesses that suffer payment-card breaches already reacting to last week’s push by the White House to speed up disclosures? For the third time in the past week, a notable breach has been publicly disclosed within 30 days.
Tennessee-based ValuePetSupplies.com has notified several thousand customers that its servers were accessed by someone unauthorized, who installed malicious files to capture customers’ personal information entered on the website, SC Magazine reported. But unlike many such breach notifications, the one from Value Pet Supplies came just two weeks after the breach was discovered.
According to a letter sent to thousands of its customers, the information stolen could include names, addresses, payment-card numbers, expiration dates and CVV numbers, phone numbers, email addresses and website account passwords. The company said the cyberattack appears to have taken place on or about Nov. 25, 2014, and the security professionals it hired to investigate the breach removed the malware and shut down the data leak by Dec. 29.
But the Jan. 12 letter also explicitly states, “This notice has not been delayed by law enforcement.”
That marks a significant change from standard operating procedure for breaches as recently as six months ago. The U.S. Secret Service and FBI, which investigate most payment-card breaches because they typically involve interstate activity, have routinely requested that breach notifications be delayed while they investigate. State laws that require prompt notification of data breaches usually allow a delay at the request of law enforcement agencies.
On Jan. 12, the same day as the Value Pet Supplies notification letter, President Obama called on Congress to enact the Personal Data Notification and Protection Act, which calls for regulation that requires companies to inform customers within 30 days if their data has been hacked.
The following day, two separate online parking reservation services — Park ‘N Fly, based in Atlanta, and OneStopParking.com, based in suburban Cincinnati, both said they had notified customers of breaches they had discovered less than 30 days earlier.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More