Late last week, hackers took down Payza's blog and posted a mocking message in its place, implying that they were sitting on a treasure trove of stolen data. Payza says this was merely a hacker's stunt, and that no data of real value could have been compromised, but the company must still deal with the event's damage to its brand.
The London-based payments company is engaging with clients and partners to ensure they know the recent attack was limited in scope the blog is hosted separately from the Payza payment platform and to determine whether people have lost confidence in Payza's defenses.
"It gives a sense of weak security, when the attack was on a small part of the site and it doesn't touch what we do with payments processing," said Ali Nizameddine, executive vice president of product and technology for Payza.
The company did not disclose the specific cause of the attack, which Nizameddine said targeted hosted software, and Payza is continuing to investigate the incident. "That's something that we're working on; the hack just happened on Friday," he said.
Payza's blog is part of an informational site that links directly to Payza's main site. The Web design and signage are the same, and a single click takes users from one site to another. However, the two sites do not share the same level of security, Nizameddine said.
On its main site, Payza uses a series of electronic keys and encryption layers to provide what Nizameddine calls a "multi-level" firewall around the company's database and technology that supports payments processing. Payza's internally protected platform is used to quickly update the company's product line about once per week, and Trustwave handles its PCI compliance, he said.
"It's not even a single key for the database," Nizameddine said. "More than one person is required to access the data. You need to have two people who know the 'master key.'"
The company's blog, which is remotely hosted by a third party, is outside of that layer of protection. This lighter degree of security is meant to make the content, which is generally marketing and press releases, more accessible.
Payza did not elaborate on its relationship with the third party, but Nizameddine said "best practices" regarding hacking prevention are used for the blog. The blog was live early this week, though hackers are still targeting it, Nizameddine said. He added the company would respond to any brand or reputational crisis, but was hopeful that most people's knowledge of e-commerce had advanced to a point where they would know the difference between the part of a website that handled payments processing and another part that was purely informational.
"In this day and age, you want to think that people consider a blog to be part of the marketing materials," Nizameddine said.
The attack was came at a poor time for Payza, given that many consumers, merchants and banks are still on edge about the holiday-season breach disclosed by Target Corp. a year ago.
"While breaking into a blog doesn't provide hackers with access to sensitive data, there is certainly a reputational impact to the company," said Julie Conroy, a research director at Aite Group. "Whether it's the taunting kind of message here that calls the company's security into question, or the possibility of putting forth a false blog that could spread misinformation, which could be particularly damaging for publically traded companies."
Companies should scrutinize the security of their blogging service, Conroy said. "Even if it's a third party, it's ultimately the company whose logo is associated with the blog that will bear the brunt of any adverse fallout."