The data theft, which left the credit card details exposed from late December to almost the end of January, used a security hole in the in-house web application that had been developed to manage Smalldog's ecommerce system.
Don Mayer, CEO of Small Dog Electronics, explained that the company is PCI compliant, and that it had been subjected to a penetration test by a third party, which he would not name. The flaw in the code has now been rectified, and Small Dog is investigating the issue with the pen tester, added Mayer, who did not know what language the ecommerce system had been written in.
"I'm very proud of our staff in terms of their reaction. We have dealt with this very responsibly, and notified customers immediately of the breach," Mayer added. "We are doing everything in our power to reclaim our customers' trust and provide the credit monitoring services that are necessary."
One customer who placed an order with Small Dog at the end of December last year found in mid-January that her credit card was being declined. She subsequently received a data breach notice from Small Dog.
The letter, obtained by Infosecurity US, did not offer her any form of credit protection. Mayer explained that Smalldog was not offering credit protection without being prompted. Customers are being given credit protection via the Experian service, but only if they contact Small Dog and specifically ask for it, he admitted.
"I've been a loyal customer of Smalldog for eight years. I've probably spent around $10 000 with them since then," said the customer, who resolved to call Small Dog when Infosecurity informed her of the retailer's credit protection approach.
"A friend's card was hacked recently [through another company] and she was provided with a year of credit monitoring as recompense," she continued. "Small Dog didn't even offer me a coupon off my next order. I think I'll be buying my Apple products from some other vendors from now on."