As many as 20,000 people may have had their credit card and personal details stolen from Sydney based online florist - Roses Only - earlier this year.
And the resulting fraudulent transactions on Visa and MasterCard accounts have already prompted Australian financial institutions to start cancelling and re-issuing customers' cards.
As many as 5000 of the affected card accounts are believed to be Westpac customers and a similar number Commonwealth Bank customers.
Hard data is, however, difficult to come by and most banks were reluctant to provide any comment on the record.
Rebekah Miles at the NAB said that "We don't want to give the criminals any information from which they can draw conclusions about the success of their exploits."
But an ANZ spokeswoman was more helpful and confirmed that the Roses Only problems had forced it to cancel and re-issue about 400 cards thus far.
"The nature of the data compromise means that the risk of fraud has been assessed as very low" she said, adding that "We are confident that our fraud detection systems …will allow us to protect our customers."
Customer confidence in on-line merchants however, may be another story.
Few will be re-assured by the fact that, for just a few days last week, the Roses Only web-site featured a statement saying "No credit-card details are stored on this site."
The statement has now disappeared so it remains an open question as to whether or not Roses Only stores credit-card details in its own databases.
Indeed it remains an open question as to how the card security breach happened in the first place.
James Stevens, chief executive of Roses Only, said yesterday that he had no idea how it happened.
The first he'd heard about was when the company's bankers (St George) contacted him.
The actual data theft is believed to have taken place in early June, and Visa began notifying Australian issuers six or seven weeks ago.
News of the breach first became public, however, only last Friday week via a report on the Seven network in Sydney, with the broadcast followed by other media over the weekend.
Since then the NSW Fraud squad has announced the formation of a special strike force to investigate the fraud.
And the Australian government's Privacy Commissioner, Karen Curtis, has made clear her displeasure.
"My Office is aware of the data breach relating to Roses Only and has been in contact with the company. We will be assessing the steps Roses Only has taken to address the situation," she said.
None of the others involved in the building or operation of Roses Only's website, such as internet payments gateway provider, Securepay, or security certificate provider - Verisign, or site designer and builder - Relate - could provide any clues as to what might have gone wrong.
Visa and MasterCard's jointly developed Payment Card Industry Data Security Standard is meant to ensure that Roses Only type incidents can't happen.
Last September Visa said a survey showed less than half of Australia's credit card processors and merchants were aware of their obligations under the PCIDSS standard.
Those obligations include the encryption of card data stored in databases, quarterly and annual audits and assessments of site security.
Smaller businesses can do self-assessments of their PCIDSS compliance, but the standard requires everyone else to be audited by independent experts.
That isn't cheap, of course. MasterCard has said it will subsidise the cost, with audits available through Ambiron TrustWave.
PCIDSS theoretically even provides for penalties of up to $50,000 on merchants who fail to comply.
Acquiring banks have the main responsibility for ensuring compliance, but thus far there has been little evidence of any local banks being enthusiastic about that role.
St George spokeswoman, Lara Daniels, said the bank is monitoring the Roses Only situation very carefully.
"In terms of St.George debit and credit cards, we have identified only a small number of cards that have been impacted."
And on the PCIDSS issue she said the bank worked very closely with all its business customers on PCI compliance.
"We have programs in place to ensure merchants are aware of the requirements and what they need to do to ensure they comply."
* Stewart Carter is publisher of
The eCommerce Report where an earlier version of this article first appeared.