Greece’s four main banks – Alpha Bank, Piraeus Bank, Eurobank and the National Bank of Greece – were forced to cancel 15,000 credit and debit cards after payment card data used by some of their customers on a Greek tourist services portal was hacked.
The banks issued a joint statement admitting that “a few dozen” customers had been charged with transactions they never made, but decided to gradually cancel and replace all 15,000 cards which had been used on the tourist service, even if it was just once.
The banks’ executives have confirmed that they immediately activated security measures which will keep the costs incurred by the breach “manageable.”
Details of how the breach happened are still unknown, but there is an ongoing inquiry according to Greek newspaper Kathimerini. It is expected to finish by the end of March and is focusing on whether the website follows the Payment Card Industry Data Security Standards (PCI DSS) – that is, the information security standard which companies that handle branded credit cards from major card schemes are expected to follow.
Mastercard and Visa have also began investigating the breach on the website, which allows users to book airline and ferry tickets, hotels, cars and travel insurance.
The banks have already informed the Bank of Greece. If it is the case that the website does fully comply with the PCI DSS, then the investigation will change course to understand how the breach occurred.
Greece’s capital Athens is now home to the European Union Agency for Network and Information Security (ENISA), which is the continent’s official agency for cyber-security. It is designed to help EU member states improve capabilities and expertise around cyber crisis coordination and the prevention of cyber incidents.
Though it has not been clarified whether this agency is involved in the most recent breach between Greece’s four biggest banks, it is likely to have some involvement in helping foolproof the banks for future incidents.