The recent breach of online retailer Batteries.com may have escaped your attention.

The Indiana-based company, according to a few reports, issued a letter to officials in New Hampshire indicating that hackers penetrated the Batteries.com network over a period of two months from February to April 2009. In the letter, the company indicated that 865 residents of New Hampshire had been victimized. Stolen data included customer names, addresses and credit card details.

Some of that data, Batteries.com says, was used for fraudulent purposes.

Information has yet to be released on how many victims there are outside of New Hampshire. But I don’t think a hacker would have a grudge only against residents of the “Live Free or Die” state. It’s safe to assume many more customers’ identities and credit card accounts have been affected.

Those customers will undoubtedly suffer severe headaches. Dealing with credit card companies. Credit bureaus. Banks. Automated phone systems. Paperwork. The list goes on.

One alleged Batteries.com customer on this message board said he had “thousands of charges” on his credit card from someone in the United Kingdom.

“(I)t looks like the operation is very sophisticated,” the poster says. “Some of the charges occurred within 1 second of each other and must have been automated because one of the companies, British Airways, indicated that they do not permit an airline ticket to be purchased by somebody and paid for by somebody else, and the card ‘looked’ like it was issued in the UK…I suspect thousands of other victims are seeing charges on their cards too.”

But Batteries.com, and any other merchant who is hacked like this, will also suffer severe headaches. First of all, the company will be issuing two years of free credit monitoring services to victims. Second, how many of these victims are likely to shop at Batteries.com again? And what about negative press coverage?

Further, can you imagine the amount of costly and time-consuming forensics work that goes into determining the details of two months worth of hackings?

As a merchant, if you are breached like this, you’ll pay a forensics auditor $250 an hour to spend days—many times several weeks—to pour through your “log” files, which register all events on your network. These auditors will conduct “reverse engineering” and scour your network for all sorts of data, such as if any users accessed your network from unusual locations. If your log files have been compromised, or not backed up properly, the process can even take longer.

An IT forensics audit is so complex that Visa has certified only seven vendors as “qualified incident response assessors.” (The data gathered during these audits, by the way, help companies such as Verizon Business, one of the seven assessors, publish great breach reports like this.)

An IT forensics audit, in many ways, is similar to a homicide forensics exam. But an IT audit can cost you $20,000 or more when it’s all said and done.

That may be good news for Visa’s qualified assessors. But for small merchants, a massive breach can be devastating.

‘Til Next Time,

Joan
The eSecurityDiva.