Kiddicare, a specialist child and baby retailer in the UK, has suffered a data breach and warned close to 800,000 customers that their personal data was exposed by hackers.
A small number of customers received a “possible phishing communication” from a website claiming to be a subsidiary of Kiddicare.com, which invited recipients to take part in a survey.
Kiddicare believes that the stolen data, which included names, email addresses, phone numbers and shipping addresses, was taken from a test site that has now been deleted. Payment details were not accessed by hackers as the company does not store such information on its systems.
The company became aware of the data breach after customers reported suspicious text messages that were not sent by Kiddicare and reported itself to the UK's Information Commissioner. A security company provided more information and Kiddicare was able to connect the breach to the test website that was used in November 2015.
“While redacted data should always be used for testing, with personally identifiable information, a hacker can much more easily assume that person's identity and cause significant disruption. The cyber-threat landscape has changed drastically in recent years and organisations have a very serious duty of care to their customers,” said Matt Middleton-Leal, regional director of UK & Ireland at CyberArk.
Worldstores, parent firm of Kiddicare, noted: “Increased security is already in place and we can confirm we have identified the source of the problem and taken steps to prevent it happening again.”
Security analyst Graham Cluley criticised Kiddicare in his blog for not making an announcement on their homepage or social media accounts: “It's almost as if Kiddicare would prefer to turn a blind eye to the potential seriousness of the breach.”
“One clear risk is that Kiddicare customers might be contacted by fraudsters pretending to be the baby specialist retailer, in an attempt to trick unsuspecting consumers into handing over payment information.”
Kiddicare apologised for any worry or inconvenience that may have resulted from the breach and the possibility of putting its customers at greater risk from phishing scams started by cyber-criminals.
“This latest breach goes to show how important it is to continually monitor for anomalous activity across the entire breadth of the network. While it's admirable that Kiddicare has gone straight to the UK's Information Commissioner, it's not good enough that the breach was discovered by customers whose information had not only been lost but already used with bad intentions. Kiddicare and similar organisations need to switch from such a reactive approach and, instead, be proactively hunting for the malicious activity within its network that allows data to be exposed,”said Justin Harvey, CSO at Fidelis Cyber-security in comments emailed to SCMagazineUK.com