Warning to customers as Fota Wildlife Park hit by cyberattack

Calahonda52

FYI, move if in wrong place

https://www.rte.ie/news/ireland/2024/0828/1467216-fota-wildlife-park-cyberattack/

Fota Wildlife Park in Cork has been hit by a cyberattack and customers have been warned that their financial information may have been compromised.

Users have been told that they may need to cancel credit/debit cards used to make payments on the park's website.

blackwhite

Expect a long hard look from the Data Protection Commissioner at this one.

Advising customers to cancel debit/credit cards suggests that Fota may not have been PCI-compliant in how they handled customer card payments.

PixelCrafter

This is why I always use a disposable Revolut card online for stuff like this.

Furze99

https://www.boards.ie/discussion/comment/122557286#Comment_122557286

Indeed, why would they have been storing card details. Perhaps for annual repeating memberships or something like that but hardly from the ordinary punter just getting tickets for a visit.

blackwhite

https://www.boards.ie/discussion/comment/122557354#Comment_122557354

Not supposed to hold card data like that.

You are supposed to use a system where your card acquirer stores an encrypted token to enable repeat payments - the card details should not be accessible.

ELM327

Not allowed hold card details under any circumstances. Hopefully a large fine from the DPC and or financial regulator.

blackwhite

https://www.boards.ie/discussion/comment/122557429#Comment_122557429

You can store an encrypted token to allow repeat payments be taken from the card.

You just cannot store the actual card number itself.

Deagol

https://www.boards.ie/discussion/comment/122557429#Comment_122557429

Seriously? You want a charitable, award winning wild life sanctuary to get a large fine because they got hacked - like so many other institutions who have been - no wait to find out how and why etc before calling for a lynching.

Keyboard warrior rubbish at it's very best. I hope you live such a blameless and perfect life that you're above reproach…

My partner is affected by this and her reaction was a roll of the eyes and a quick moan about the inconvenience. No dramatic overreactions like this.

eightieschewbaccy

https://www.boards.ie/discussion/comment/122557517#Comment_122557517

Think is, if you doing enforce the rules around this kind of issue then it negatively impacts trust in all outlets online. They need to meet the same financial standards of other outlets and personally I'd prefer to know that charities etc don't get a free pass. If they did, I'd be less likely to donate.

This also could be an overreaction on their part and they might be doing everything right so hopefully that's the case.

Fr Tod Umptious

https://www.boards.ie/discussion/comment/122557517#Comment_122557517

I wouldn't take much heed.

It's a typical CA/IMO reaction.

The person has probably never been to Fota to see what it offers and how popular it is.

I'm surprised no one has chimed in with a wish that they go out of business because they are overpriced or something.

SuperBowserWorld

I'm pretty sure the Cheetahs don't give a flying **** about the crazy humans and their **** planet destroying lifestyles. The juxtaposition of the invented human problems upon problems with pictures of caged majestic big cats is surreal.

ELM327

https://www.boards.ie/discussion/comment/122557497#Comment_122557497

Yes, a PAN token or network token, can be stored and retain PCI compliance. I work in finance and have done so for 15 years so I know the difference. Seems like others think PCI compliance is a non issue.

https://www.boards.ie/discussion/comment/122557517#Comment_122557517

No dramatic overreactions, so who pays for the losses caused by stolen card transactions? Other merchants? Banks? The card issuers? The how and why is irrelevant, they were storing class 1 data which can never be stored.

https://www.boards.ie/discussion/comment/122557558#Comment_122557558

I've been to fota several times. From visiting as a child to taking my own family there and trying out the tesla chargers when we were excited to find a destination charger there. It could be my own son's business, I'd have the same attitude. Having stored card details is a massive issue. Having them stolen from you is even worse. PCI compliance is no joke.

blackwhite

https://www.boards.ie/discussion/comment/122557717#Comment_122557717

I really don't understand the attitude from some about this.

We visit Fota at least once a year - love the place. But that doesn't give them a free pass to ignore consumer protection laws.

Maybe the warning they've put out is an abundance of caution and all is actually OK - but the statements this morning certainly give the impression that they were storing information that they shouldn't have been and that they have put customers at risk as a result.

gipi

An expert in the Irish Times report suggests that the Fota website itself may have been compromised, so card details were being harvested from the website as customers entered details, rather than from stored data.

https://www.irishtimes.com/ireland/2024/08/29/credit-card-warning-for-customers-of-fota-wildlife-park-after-cyberattack/

Fr Tod Umptious

https://www.boards.ie/discussion/comment/122558044#Comment_122558044

Obviously this is very serious, you often hear about hacks and people being advised to lookout for strange contacts etc, but being asked to cancel cards is a completely different level.

So a full a proper investigation should, and will take place and whatever the regulations deem as "punishment" will be applied, and I'm sure there will be redress for people who have suffered financially from this.

But someone "hoping" they are hit with a huge fine, that's a bit weird.

ELM327

https://www.boards.ie/discussion/comment/122558152#Comment_122558152

Interesting reading there. It's an opinion piece, so not 100% on accuracy, but if it's true, that's far worse. People not only have their CC info stolen, but all login data and cache it seems. So not only do they have your CC info, they have geolocation data, system data, email, password, username, phone number etc. Enough to attempt sophisticated scams, attempt to pass 2FA or 3DS tests. That is a very dangerous situation and as a former risk manager myself here must pose the question, how did 1LOD,2LOD and 3LOD all fail here? What was their monitoring strategy for protecting the userbase they store data on?

I'm in awe, it's like printing out all the information and storing it in an unlocked cabinet. How can a man in the middle attack with access to the website be allowed to persist for weeks or months? Shocking is the only word.

spaceHopper

OK So I’m a big tinfoil hat fan and hate companies using my data for anything other than the service or product they provide. I’ve had my personal data leaked by Fastway, Linkdin, Paddy power, some car parts website, western digital and a few others. Most of them are tech companies or large that should know better.

But Foto ? Really, they probably had company design and manage their website. To me it reads like their website was hacked and code to steal logins and CC numbers was inserted into it, and not that they were illegally storing numbers.

By the way, when Fastway were “hacked” they claimed to be the victim of cyber crooks and were working with the Gardai. What actually happened was they had a database on a cloud server open to the internet and it wasn’t password protected.

Furze99

https://www.boards.ie/discussion/comment/122559412#Comment_122559412

Fastway are one of the most disreputable businesses about in my experience. Never have anything to do with them in my advice.

tringle

I was in Fota, I used my card in person at a food stand. No website, no online, but in person. My credit card company called me to say they had been advised to cancel all cards used in the past 6 months in Fota and to move funds out of my current account until the new card was issued. They are taking it pretty seriously.