SuperValu, Centra and Daybreak, which are common corner stores and village shops in Ireland, have suffered a widespread cyber attack that has put customers’ payment card numbers and expiry dates at risk.
Musgraves, the parent company of all three retail chains, confirmed that criminals had attempted to steal the card data, and is now investigating the incident with the assistance of An Garda Siochána.
The Office of the Data Protection Commissioner has also been notified of the breach and will receive regular updates as this investigation continues.
Musgraves released a statement yesterday, stating that it had “detected that malicious software was attempting to extract debit and credit card numbers and expiry dates, but not the cardholder name, PIN number or CCV number”.
For now, there is no evidence to suggest any data has been stolen, but a spokesperson for Musgraves said they were “advising any concerned shoppers to review activity on their statement as a precautionary measure”.
Since noticing the attack, Musgraves has installed “advanced technical fixes and continue to actively manage and monitor the situation”.
As this investigation continues, Musgraves will have to review its Payment Card Industry Data Security Standard (PCI DSS) compliance framework to understand where it let the company down and what improvements need to be made.
What is the PCI DSS?
The PCI DSS applies to all organisations worldwide that transmit, process or store payment card data. This applies to both the smallest merchant handling a few orders and the largest service provider processing millions of transactions on behalf of other businesses. With rules governing everything from data encryption to network segmentation, meeting the PCI DSS requirements can be difficult to achieve and maintain. What matters to all organisations is effective, timely compliance, and maintaining this within an acceptable budget.