The website of Queensland School Photography has been hacked, with students’ parents reporting their credit cards used in unauthorised overseas transactions.
The schools photography business shut down its online ordering system and warned parents via e-mail of the security breach last Thursday, March 9. It assured school principals no photos were at risk, and it’s ‘not aware’ of any breach in relation to personal information.
‘At no stage has any children’s images been at risk. As you are aware our photos are ordered on a prepaid system prior to date of photography. Therefore our photos are not on our website for viewing,’ it told principals in an e-mailed message. ‘Queensland School Photography takes these matters seriously and does not store any credit information on our website. The culprits have done this for the sole purpose of credit card fraudulent activity. Our bank is conducting a full investigation.’
It initially couldn’t measure how widespread the breach was or what had been stolen, but later confirmed it was isolated to the online payment processing provider. Parents have confirmed dodgy transactions on their credit cards.
Four parents whose children attend the Holland Park State School said on the school’s Facebook page that unknown people attempted to use their card details.
Nail Laycock, whose daughter attends Tamborine Mountain State School, told the ABC that $3000 went missing from his account at the early hours on Saturday morning.
Unauthorised transactions have occurred in Europe and the US.
Queensland School Photography has referred the matter to police.
‘Our investigations indicate that no photos have been breached — the incident appears limited to payment card information,’ Thurid Cook, operations manager for Queensland School Photography, told ABC. ‘It is hard to ascertain the exact number of those affected, as most customers have contacted us after we gave a general notice of the incident to all customers.’
The company is remaining tight-lipped regarding the breach – a ‘response-plan is on the way’. Media outlets have failed to receive any substantial information or transparency regarding details of the breach. However the Toowoomba Chronicle estimates nine schools in the city are potentially affected.
Queensland School Photography is a member of the Professional Schools Photographers Association International (PSPA), which ProCounter reported last year was working on merging with the AIPP.
Queensland School Photography uses Secure Socket Layer SSL on every page, it says, making a secure connection between the online ordering system and a computer. This is ‘more secure’ than standard basic certificates.
Additionally, credit card details are not stored on the website and its payment system complied with the Payment Card Industry Data Security Standards.
The Queensland Police has referred the investigation to the Australian Cybercrime Online Reporting Network.