Breakfast: the most important donut of the day.
The news report never stated that it was a "zencart" site. No mention was made of the technology driving that webshop (I'll try to reference the case for you.) The point was that the merchant was collecting card info and this was against his T&C's. And it just about ruined him.
Last year I had TWO instances of hackers entering clients' sites and "installing" the c-card module, applying their email addresses for the middle 8 digits and blocking the clients' own admin logins, changing the order confirmation copy email to admin... etc.
In one instance the damage was quite serious... I got a call from the client after 5 days to say "we've had no orders for a week... what's going wrong?" They did have orders... about 120 of them... and the crooks had made off with 120 c-card details AND the personal data of the shoppers.
Fortunately we were able to technically demonstrate that the module was not active prior to the hacks (admin activity log and a few other forensics), and only a small amount of fraud had taken place, despite the relatively large number of card details collected.
So even in a scenario where that mod is not even installed... hackers know how to exploit the admin panel once they are in.
I immediately set about removing the php files for offline cc payments from over 100 client sites and via a clever bit of php which a colleague built, we formulated a hidden alarm system to warn if the module even became "active" again.
Good riddance to that module. It passed its sell-by date a long time ago.
Our latest project is Pet Tags.