UK hardware chain Robert Dyas website was hit by credit card theft malware that siphoned customer payment details, including long card number, expiration date and code security (CVV).
Between March 7 and 30, a card skimmer was present on Robert Dyas' payment processing page, the chain admitted in an email sent to affected customers seen by The register.
“We learned on March 30, 2020 that malware was downloaded from our e-commerce website by an external third party, which was immediately blocked by our IT security team,” said the email. .
The stolen data would contain “personal information and credit / debit cards, as well as the names and addresses of customers”. Robert Dyas' password has not been stolen, but it will be the least of the concerns of those concerned.
From the description, it is clear that malicious card skimming software was present. We asked the chain belonging to Theo Paphitis for more details and if the infection was the famous Magecart malware.
Jake Moore of InfoSec biz Eset commented dryly The register: “This is by no means the perfect time to have a card skimmer to hide and use on your site at a time when online sales are going through the roof in most industries.”
He added: “For those affected, it can even be a double whammy to find out when they understand the full potential and the impact it can have on their finances. Of course, these customers should contact their banks for more details and additional support, but that shouldn’t “Although no password seems to have been taken, I suggest that they be changed procedurally in case it turns out that more data has in fact been compromised . “
In March – ironically – the American brand Tupperware was struck by a similar infection which used a malicious PNG image file with steganographic techniques to hide the compromise.
Robert Dyas belongs to Dragon's den TV star Theo Paphitis. It has 94 stores in the south of the UK and at Christmas 2018 boasted that online sales have increased by 45 percent in the previous 12 months, reaching more than £ 131.8 million and making a gross profit (EBITDA) of £ 1.6 million. The previous year, made a loss of £ 780,000.
A spokesperson for Robert Dyas said, “As soon as we became aware of the presence of malware deployed by an external third party on our e-commerce site, we took immediate action to remove it. We are confident that this issue has been fully resolved and that the website can be used safely since March 31.
“We have informed our merchant service provider – which handles all of our online credit or debit card payments on our behalf – and the affected card systems, which notify payment card providers, which include banks . We are in contact with around 20,000 affected customers and also recommend that they contact their bank or card supplier and follow their recommendations as a precaution.
“We are working with the appropriate authorities in response to the incident and have appointed a forensic investigator in the payment card industry to conduct an independent investigation. We are deeply sorry for the concerns and inconvenience this illegal activity has caused to some of our customers. “
The spokesman added that “unfortunately, the authors had access to the long card number, expiration date and security code (CVV)”.
Webcast: Build the Next Generation of Your Business in the Public Cloud