Children’s shoemaker Start-Rite confirms major security incident, full customer details leaked
A misconfiguration on permissions leaked sensitive data on millions of Start-Rite customers.
Start-Rite notifies customers of a major data breach which saw credit card data exposedThe details about the attackers are unknown at this timeUsers with purchases between October 14 and November 7 should scrutinize their bank statements
Children’s footwear brand Start-Rite has confirmed suffering a painful data breach in which it lost customer payment information.
The company confirmed the breach in a message to affected customers, The Register revealed, however, not all details about the breach are known at this time, so we don’t know who the attackers were, how many people were affected, or how the breach occurred.
What we do know is that the incident happened between October 14 and November 7, as Start-Rite told customers in its data breach notification email. The information stolen includes full names – as seen on credit and debit cards – postal addresses to which the cards are registered, card numbers, expiry dates, and the CVV numbers. In other words – whoever took this information has everything they need to make online card purchases, commit wire fraud, identity theft, and more.
NHS and friends
“On 11 November, Start-Rite Shoes became aware that it had suffered a security incident via a third-party application code on www.startriteshoes.com,” the company told The Register. “The breach potentially provided access to customer bank card information. The website is now secure and the malicious code and third-party app have been removed.”
The company’s social channels, and its website, say nothing about the incident just yet, but Start-Rite advised customers to disable the cards and ask their banks for a new one, noting, “we would advise you to contact your bank or credit card provider and ask them to stop the card you used to pay us and issue you with a replacement. You may be able to do this immediately via your mobile banking or credit card app.”
The company also advised users to double-check all transactions from October 14 onward. “If you do see anything which appears strange, you should contact your bank or credit card provider, tell them that you did not authorize the transaction, and ask for a refund. You may wish to provide them with a copy of this email to support your request.”
Given the wording of the statement, this seems to have been a credit card skimmer code installed on the company’s ecommerce site, such as the one MageCart crooks used to drop.
You might also like
MageCart attacks return to target hundreds of outdated ecommerce sitesHere’s a list of the best firewalls around todayThese are the best endpoint protection tools right now