The DIY community has, it seems, been a victim of card-skimmer malware.
UK hardware store Robert Dyas has disclosed that card-skimming malware on the its e-commerce website has unfortunately meant the theft of customer financial data.
For 23 days, beginning March 7 & finishing March 30, a card skimmer was being used on the Robert Dyas’ website, according to an email that was sent to customers.
Payment Details
Robert Dyas is a UK company that provides DIY & home improvement products, gardening tools, & electricals. Customers that ordered these types of goods through the company’s website between these dates may have had their payment details stolen, including card numbers, expiry dates, & CVV security codes. Also, it is possible that customer names & addresses may have been taken as well.
The use of card-skimming malware & payment portal hijacking are now known as ‘Magecart attacks’. A website vulnerability is exploited, and JavaScript skimming code is then appended to legitimate scripts found in the payment area of websites.
Other victims of card-skimmers include British Airways & Ticketmaster.
Malicious Code
Robert Dyas became aware of the intrusion on March 30 & removed the malicious code. Anything up to 20,000 customers are involved in the security breach.
This damage has been increased by vastly increased sales of home improvement products due to the UK’s lock-down & ‘stay at home’ instructions. The hardware store has been in the midst of a massive online sales increase which led to an imposition of an online minimum spend of £50 ($61).
Forensic Investigator
“We are confident this issue has been fully resolved and the website has been safe for use since March 31,” a Robert Dyas spokesperson explained. “We are working with the relevant authorities in response to the incident & have appointed a Payment Card Industry Forensic Investigator to carry out an independent investigation. We are deeply sorry for the concern & inconvenience this illegal activity has caused some of our customers.”
Robert Dyas observed that the firm’s payment provider, who manages sales, has been notified, also banks & other associated financial services.
Notification
The UK’s Information Commissioner’s Office (ICO) has been notified, & if the data protection authority finds any fault with Robert Dyas security, a fine under GDPR could be imposed.
US Breach
Also, over in the US, a potentially serious data breach has occurred that may have impacted business owners seeking financial help from the Small Business Administration (SBA). The US agency explained that a security issue in the disaster relief fund web portal may have led to the exposure of personally identifiable information (PII) belonging to roughly 8,000 applicants.
