British e-commerce store Sweaty Betty has become the latest victim of a digital skimming attack after customers unwittingly had their card data stolen over the period of a week.
In an email sent to customers, the women’s fashion retailer confirmed that “a third party gained unauthorized access to part of our website and inserted malicious code designed to capture information entered during the checkout process.”
Customers placing orders online or over the phone between November 19 and 27 are thought to have been affected, although the firm has not revealed how many may have had their card details stolen.
As well as card number, CVV and expiry date, the hackers may have stolen customer names, billing and email addresses, telephone numbers and passwords for the site.
“We can confirm that Sweaty Betty has launched a comprehensive investigation following a highly-sophisticated cybersecurity incident on our website platform. We worked quickly to engage specialist technical security consultants to assist us with our investigations and we can confirm the issue has now been resolved and apologize for any inconvenience,” a spokesperson told Infosecurity sister publication Essential Retail.
“We have taken all the necessary steps to inform those who may have been affected and the Information Commissioner’s Office (ICO) has been notified. We take data security extremely seriously and the privacy of our customers remains our highest priority. Importantly, this issue has been resolved, and it is safe to shop at Sweaty Betty – whether online, by phone, or in stores.”
The incident appears to have been a classic Magecart attack, in which hackers insert malicious JavaScript into payment pages to siphon off card details as they are entered in by customers. It came just before the Black Friday sales weekend, when traffic to e-commerce stores soars.
In the past month alone, similar attacks have hit US gun-maker Smith & Wesson and department store Macy’s.
“Unfortunately, when armed with payment card information or personally identifiable information (PII), malicious parties can make fraudulent purchases, sell said data on the dark web for a quick profit, and much more,” argued Bitglass CTO, Anurag Kahol.
“Additionally, a staggering 59% of consumers reuse passwords across multiple accounts. This means that if a cyber-criminal appropriates a single password, they can potentially gain access to a user's accounts across a number of retailers and services where said password is reused.”