Cosmetics company Lime Crime is notifying an undisclosed number of customers that unauthorized access was gained to its website server and malware designed to intercept customer data, including payment card information was installed – from October 2014 to February.
How many victims? Undisclosed.
What type of personal information? Names, addresses, card account numbers, expiration dates, security codes and Lime Crime website usernames and passwords.
What happened? Unauthorized access was gained to the Lime Crime website server and malware was installed that is designed to intercept the personal information.
What was the response? The malicious code was deleted. The Lime Crime website was moved to a new platform, which is validated as PCI compliant. Additional security scans were run on the website and no vulnerabilities were found. All customers are being notified, asked to update their Lime Crime website password and offered a free year of identity protection and fraud resolution services.
Details: The incident affected customers who made purchases on the Lime Crime website between Oct. 4, 2014, and Feb. 15. For customers that used PayPal to make purchases, Lime Crime website usernames and passwords may have been obtained, but credit or debit card information was not captured by the malware.
Quote: “We have received reports of customers who incurred fraudulent charges after shopping on [the Lime Crime website],” according to the notification posted to the Lime Crime website.
Source: limecrime.com, “SECURITY,” Feb. 24, 2015.
SCMagazine.com has requested additional information from Lime Crime via email. An automated reply indicated that Lime Crime is experiencing a heavy volume of requests, and email response times are more delayed than usual.