Irish consumers have been warned to be vigilant after US authorities revealed details of a scheme in which more than 130 million credit and debit card numbers were stolen.
Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven and Hannaford Brothers, US federal prosecutors said in a statement.
The suspects also hacked two unidentified corporate victims, the US attorney's office in New Jersey said in the statement.
A tiny fraction of the cards would have been Irish, according to Úna Dillon, head of credit card services at the Irish Payment Services Organisation.
Speaking on RTÉ's Morning Irelandprogramme today, Ms Dillon said anyone affected by the fraud would know about it by now.
“We would have been alerted by the card schemes so Visa and Mastercard International would have given us a list of cards that were compromised at the time and those cards would have been blocked and reissued,” she said.
“The information that was stolen is the information encoded on the back of the card along the black stripe and the expiry date. The only thing the perpetrators can do is create counterfeit cards and attempts to use them were not successful as they had been blocked.”
Ms Dillon advised anyone concerned about the safety of their credit cards to keep monthly statements and receipts and cross-check them.
“If you see anything unusual then contact your bank. They are obliged to dispute anything unusual you believe you haven’t authorised,” she said. “Card holders are not responsible for fraudulent third party activity on their accounts. If you have been a victim of fraud you will get your money back.”
Andy Harbison, a cyber-security specialist with Grant Thornton in Dublin, said the method used to steal the data was a highly-skilled hacking technique and said companies were not focused enough on security.
“This attack was an SQL injection attack. Flaws in complex codes allow hackers gain access to data. Companies focus too much on designing pretty websites and not enough on ensuring their security is tight,” he said.
Companies can protect themselves against attacks, he said, by ensuring they comply with PCI DSS standards.
These are a set of comprehensive requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to help organisations protect customer account data.
“If you comply with these standards you won’t eliminate fraud but you will certainly minimise your risk,” said Mr Harbison.
With regard to consumers, Mr Harbison also stressed the importance of checking credit card statements online and keeping receipts.
“Report any suspicious transaction on your card, even if it is for as little as 20c,” he said. “Fraudsters will often put a small transaction through on a card to check if it works. Every country is vulnerable to this kind of hacking. These fraudsters work across borders which makes it very difficult to track them down."
The US Justice Department said Albert Gonzalez (28) a former government informant from Miami who is already in jail awaiting trial in connection with hacking cases, and two unnamed Russians were indicted on charges related to five corporate data breaches from 2006 to 2008.
Heartland Payment Systems and Hannaford Brothers had previously and separately acknowledged the breaches, but the scope of the fraud had not been known.
Authorities also for the first time tied those cases to Mr Gonzalez, who was arrested last year on suspicion of hacking into a restaurant chain's payment system.
Prosecutors said he and the Russians, identified as "Hacker 1" and "Hacker 2", targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities.
A year ago, Mr Gonzalez was indicted along with 10 others from five countries on accusations of stealing 41 million credit and debit card numbers from major retailers, including TJX Cos Inc, owner of the TJ Maxx and Marshall's retail chains. Prosecutors said that ring caused more than $400 million in damages.
Mr Gonzalez is being held in a Brooklyn jail. Prosecutors would not comment on the whereabouts of the two Russians. All three were charged with conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Each faces up to 35 years in prison and large fines if convicted.
Prosecutors said in the statement that the suspects would seek to sell the data to others who would use it to make fraudulent purchases.
They cited one example in which they said the suspects went to retail locations to identify the type of checkout machines, and after further investigation into the computer systems they uploaded information onto servers that worked as hacking platforms.
"These servers, located in New Jersey and around the world, were used by the co-conspirators to store information critical to the hacking schemes and subsequently to launch the hacking attacks," prosecutors said.
Additional reporting: Reuters