Cotton Traders' site hacked: Thousands of details stolen

Customer credit cards breached

By Nick Heath, 11 June 2008 13:25

NEWS

Thousands of credit card details have been stolen after high street retailer Cotton Traders' website was hacked.

Hackers breached the company website in January and stole encrypted customer details.

It was initially reported that 38,000 card details were stolen. Cotton Traders claim the number is "substantially less" but refuse to confirm the actual number.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Cotton Traders warned that other major retailers would be vulnerable to the same attack saying its website has always met "leading security standards".

The company claims it notified its customers within days of it happening, flagged up the breach with banks immediately and closed the hole within hours of the attack.

Customers who have become a victim of fraud following the attack are being asked to contact their credit card provider.

Security groups say the attack highlights the need for laws governing companies' response to breaches, as called for by silicon.com's Full Disclosure campaign.

John Turner, European VP at security company Symantec, said in a statement: "The loss of personal data can have a huge negative impact on an organisation's reputation. Data breach notification legislation would be an important step to increase levels of data security and ensure that organisations are aware of their requirements and obligations to disclose to customers when personal data has been lost or stolen."

A spokeswoman for Cotton Traders said: "Cotton Traders have recently upgraded all security on their website which has been validated by leading industry experts."

She claimed it was only credit card numbers that were stolen.

Comments

There are 23 comments. Join the discussion

  1. 1. anonymous

    I can assure you that as a Cotton Traders online customer I was NOT notified of the security breach .Needless to say I have instructed Cotton Traders to remove me from their customer database with immediate effect and will cease trading with them.

  2. 2. anonymous

    I totally agree with full disclosure - it's disappointing to think that this breach occurred in January but it takes six months for people to find out - I am a regular Cotton Traders (online) shopper and having suffered CNP fraud this year am pretty annoyed I was not contacted by them when this event happened.

    No system will ever be 100% secure, but if we could have all contacted our banks within hours of the event happening, it might have well made the stolen card numbers useless.

  3. 3. anonymous

    So Cotton Traders advised their customers of the security breach ?
    I was an online customer ?
    They did not notify me.

    In the past two months attempts have been made to perpetrate frauds on two of my cards. Fortunately I was observant on one an caught the problem early. My credit card supplier ( Egg) was observant with the other and caught that early.

  4. 4. anonymous

    The first I heard of the fraud was this week .

  5. 5. Hilary Brown

    I too was an online customer of Cotton Traders - and received NO contact from them.

  6. 6. anonymous

    I can only add to the comment questioning Cotton Traders claims about contacting their customers. I am also an online customer and I was not contacted.

  7. 7. anonymous

    If the data that was stolen was encrypted, then surely the risk is limited because a key to unlock the encryption is required!

  8. 8. Richard Aylward

    They didn't notify me. Don't suppose anyone independent of the company checks that they realy have told their customers.

  9. 9. Tim Holman

    Full disclosure could be useful, but if a company admits and publishes a breach, they would be inundated with calls that in itself would present a significant impact on business (they probably wouldn't be able to take telephone trade for a few weeks, for example).
    As a Qualified Security Asessor for PCI DSS, I have seen hundreds of forensic cases across Europe, involving e-commerce websites. There are some big, high street names in the list, that nobody outside of a few people in that company, ourselves, plus Visa/Mastercard actually know about.
    If word got out, there would be complete havoc!
    Businesses and Visa/Mastercard are simply not ready to take on full disclosure. The statutes need to be very carefully thought out and hefty incident response plans put in place.
    At the moment, the system is that if a merchant/service provider discovers a breach, it must be immediately reported to the card schemes (Visa et al) so that loss can be mitigated. However, more often is the case that Visa finds out due to a number of fraudulent transactions involving cards that have all been used in the same store, that a compromise has occured and contacts the merchant.

  10. 10. anonymous

    First aware of problem when my credit card contacted me to query some attempted entries (all under £2) made via Itunes. Card was immediately cancelled and replaced but fortunately had another card to fall back on. Contacted Cotton Traders who gave an explanation but no apology for not contacting me before.

  11. 11. anonymous

    This is NOT TRUE !

    My switch card details were stolen and I was not told I was at risk by anyone !

    I only found out by accident.

  12. 12. anonymous

    Not a recent online customer, but still not notified.

  13. 13. anonymous

    Switch details were NOT exempt frpm this. I too became a victim, but luckily my bank spotted it before I knew about it, and no damage was done this time, but I am now wary of using the site, despite loving their goods. I was never notified by Cotton Traders, of the breach.

  14. 14. anonymous

    I too ws a victim. Someone used my card to buy two airline tickets. I contacted Visa when I spotted it on my statement and they initially credited my account. However some 5 months later, the items have reappeared on my statement so I have to do battle once again.

  15. 15. anonymous

    I use cotton Traders online service alot and I was not notified. This year I have been a victim of card fraud on two separate occasions where more that one transaction was made, I managed to get my money back but was unable to say where I thought the problems might have occurred, if only I'd known this at least the card company could have looked into it.

    How can we fight this sort of crime if companies aren't open? Had my details been used to purchase from Cotton Traders they would have gone the looser when the bank claimed the money back and it would serve them right, they can become victims of freud too!

  16. 16. Kim Hudson

    I too am a long standing customer- and I certainly have not been informed of this breach. I am covered - as I have been cloned a couple of times now - but this claim still causes me to lose confidence in their integrity towards their customers?

  17. 17. anonymous

    It's September and I've just read this about the hacking. Now I know why my credit card was fraudulently used and i had to change it. Fortunately my bank was on to it quickly and my money was refunded. But it could happen to any site and it wont stop me using Cotton Traders! Baa Humbug to the fraudsters!

  18. 18. anonymous

    15th September and I've just found out and purely by accident. Cotton Traders have never informed me of any problem. Luckily I haven't been a victim but not happy.

  19. 19. anonymous

    so much for cotton traders contacting their customers, I wasn't and my card details were used....

  20. 20. Sean Wray

    It is now Mid September and this is the first that I have heard or read about this. I am both an online and postal shopper with Cottons and also very disappointed as I don't recall being informed of this at all. Thankfully nothing has been done untowards on either of my cards that I use or my wifes so I will continue to use Cottons. But they seriously need to look at all these comments and admit they got things wrong big style.

  21. 21. Anon

    i have been a regular buyer from Cotton Traders and recently in early september i was notified by barclaycard that my details had been compromised (i have only used the card once, on the CT website). Subsequently my Smile credit card which was used in June to purchase fro CT had been cloned and over £400 taken. My bank were very quick to identify this nad cancelled all other payments. at no stage did i get any notification from CT!!!!!!!!

  22. 22. anonymous

    made purchase in june 2008, was NOT notified by cotton traders of breach... card details used only THIS MONTH....

  23. 23. anonymous

    My Credit Card was the subject of
    attempted fraud ( 3 attempts) after I
    dealt with Cotton Traders.
    Fortunately the Card Company (Goldfish) identified the test transactions and telephoned me. They placed a stop on the card and issued me with a new number which I will
    NOT be giving to Cotton Traders.

Post your comment

In order to post a comment you need to be registered and logged in.

Log in or create your silicon.com account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ