Originally Posted by
kristofera
Yes, but IMHO, the first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.
Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.
I don't disagree. But, what they should have done is reported to law enforcement before they took any action. So which LEA would whomever discovered the breech have contacted given the outsource? Laws vary wildly between sovereign nations on this matter. And it takes years to analyze. The only thing in the general poplulace favor now is that there is such a glut of credit/bank card data on the black market, that the price is so low and the odds of your account being taken advantage of is now in your favor. Sad.