Don't get down on AHB. This can happen to ANY company that does not have the TENS OF THOUSANDS OF $s and a whole department just for web/internet/c.c. processing security like Amazon, Sears, etc. have.
Something happened to us a year ago. We found the problem, corrected the system error, notified customers between specific dates of a possible breach and changed our PCI security scans to weekly instead of monthly.
Every day our server system is running 4 different security programs. Once a week on a rotational day basis, our server system is scanned by 13 different security programs.
Remember, these ******* thieves are not dumb! They are constantly learning and trying new ways to screw EVERYONE.
For example: Like many other online sellers, we noticed that [a theft ring from Singapore] was attempting purchases. All had the same name of card, same CC number but a different card security code. Upon communicating with Wells Fargo Bank, First Data Corp AND the PCI organization, I was told that the Singapore contacts were "testing" stolen cc numbers. Once they get the cc security code then they go on a buying spree.
Our response: We blocked ALL incoming orders via IP blocking from Singapore. We also forwarded all address and IP information to the Singapore Dept. of Trade. A Cabinet level person replied only two days later, thanking us for the information, stating that they were in the process of raiding some offices near to a freight consolodation wharehouse used as the shipping address. Three weeks later we recieved a message that they found OVER 75 computers in one room, manned by people doing nothing but trying stolen cc # testing!
It is a jungle out there.
The best thing you can do is have your cc issuing companies send you an alert to your email, cell phone, text message....anywhere, everytime a purchase is made with your cc account. That way you can see INSTANTLY when your card is accessed and notify your cc issuing co. of any possible breach.