Babycare e-tailer Kiddicare admits customer data breach

Info has been doing the rounds underground

Babycare retailer Kiddicare has warned customers that personal data shared with the store has been stolen by hackers.

The compromised data is restricted to name, delivery address, telephone number and email address, according to Kiddicare, which is keen to stress that customer payment details or credit/debit card information has not been accessed.

We want to make you aware that Kiddicare has recently experienced unauthorised access to some customer details. The information accessed does NOT include any credit/debit card information or any payment details whatsoever. Kiddicare does not store any of this information on its systems.

The retailer is keen to assure customers that the “cause of this issue has been addressed and you can continue to shop with confidence at Kiddicare”.

In response to the breach, Kiddicare’s parent firm Worldstores added that it has already increased security. Hackers made off only with strongly encrypted passwords, according to Kiddicare, which is nonetheless applying a precautionary password reset.

Increased security is already in place and we can confirm we have identified the source of the problem and taken steps to prevent it happening again. Your password is protected by very strong encryption and there is no indication that passwords were accessed, but we have taken the precaution of automatically resetting all passwords, so when you shop next please use the auto update facility to reset yours.

Kiddicare apologised for any worry or inconvenience resulting from the breach, the practical effect of which is to put customers at greater risk from more convincing phishing scams put together by crooks using the purloined data. It’s not clear how many records have been affected by the breach.

Kiddicare is yet to respond from El Reg on this point and other related questions. We’ll update this story as and when we hear more.

El Reg first became aware of a potential breach at Kiddicare when we were sent evidence that its database was being advertised through underground hacker forums three weeks ago. Kiddicare’s warning to customers confirms that the data on offer does contain at least some customer info. It’s still unclear when the breach took place.

Kiddicare.com was alerted to a possible phishing communication by a small number of customers prior to this notification. At least part of the dataset being touted around matches a dataset used in November 2015 on a test site, according to Kiddicare.

Customers of the site were notified of the snafu by email, a copy of which was forwarded to The Register (pdf). The firm has published an FAQ about the breach on its website but this was not immediately promoted through either its front page or social media accounts, omissions criticised by security watcher Graham Cluley. ®

Update

According to the CTO of Worldstores, Kiddicare's parent firm, approximately 795k kiddicare.com records were accessed. Customers who registered up to 6 November 2015 were affected. The hacker withdrew the sale of the leaked database soon after news of the breach emerged.


Biting the hand that feeds IT © 1998–2017